The 12-Point Cybersecurity Checklist Every Connecticut Small Business Needs in 2026
You don't need an enterprise SOC. You need 12 basics done well. Here's the cybersecurity checklist we use with every CT small business client.
AI-narrated by Sarah · 2 parts, played seamlessly. Tap play to start.
Cybersecurity advice for small business is almost always wrong in one of two ways: it's either Fortune-500 overkill (you don't need a Security Operations Center) or vague platitudes ("use strong passwords!"). The truth is in the middle — 12 specific basics, done consistently, stop ~95% of attacks aimed at Connecticut small businesses.
This is the same checklist we use with managed clients. Use it as a self-audit, then call us if you want help closing the gaps. The full managed program is on our Managed IT Services in Connecticut page.
The 12-point checklist
1. Multi-factor authentication (MFA) on every account that has it
Email, banking, payroll, Microsoft 365, QuickBooks Online, your domain registrar. Use an authenticator app, not SMS, where possible. This single control blocks the vast majority of account takeovers.
2. A real password manager, used by everyone
Bitwarden, 1Password, or Keeper. The "sticky note under the keyboard" era ends today. The manager generates unique passwords per site — so one breached vendor doesn't compromise everything else.
3. Automated, tested, off-site backups
"Automated" means it runs without anyone clicking. "Tested" means you actually restored a file in the last 30 days. "Off-site" means a copy lives somewhere ransomware can't reach (immutable cloud storage, not a USB drive on the same network).
4. Endpoint protection (EDR), not just antivirus
Modern EDR tools detect behavior (ransomware encrypting files, credential theft) — not just known virus signatures. Microsoft Defender for Business, SentinelOne, and Huntress are common CT small-business picks.
5. Patching on a schedule
Windows updates within 14 days. Third-party apps (Chrome, Edge, Adobe, Zoom) within 30. Firmware on firewalls and switches quarterly. Most breaches exploit a patch that was available but not applied.
6. Email filtering above the Microsoft 365 default
Phishing is the #1 way CT small businesses get breached. Add a layer like Microsoft Defender for Office 365 (P1) or a third-party filter. Pair it with banner warnings on external emails.
7. Separated admin accounts
Nobody's daily-use account should be a domain admin or M365 global admin. Create a separate elevated account used only when needed. Limits blast radius if a regular account is phished.
8. A documented offboarding process
When someone leaves: disable accounts within 1 hour, revoke MFA tokens, reset shared passwords, recover the laptop, change Wi-Fi password if they had it. Write it down so it happens the same way every time.
9. Annual security awareness training (and quarterly phishing tests)
Most cyber insurance carriers now require this. KnowBe4, Hook Security, or Curricula. The training matters less than the consistent reinforcement — a quarterly fake phishing email teaches more than a one-hour video.
10. Network segmentation (especially guest Wi-Fi)
Customer/guest Wi-Fi must be on a separate VLAN from business systems. If you have IoT (cameras, smart thermostats, POS), they go on their own segment too. A compromised smart TV shouldn't reach your accounting server.
11. Cyber insurance with current attestations
If you have a policy, re-read it. Most renewals in 2025–2026 require you to attest to MFA, EDR, backups, and training. Lying on the questionnaire voids your coverage when you need it most.
12. An incident response plan (1 page is fine)
Who do you call first? Who notifies clients? Where's the backup? What's the cyber insurance claim number? A single laminated card in the manager's desk beats a 40-page binder no one reads.
Connecticut data breach law: the part nobody mentions
Connecticut General Statutes § 36a-701b requires notice "without unreasonable delay" — and within 60 days — if personal information of CT residents is compromised. That includes names plus SSNs, driver's license numbers, financial account numbers, medical info, or biometrics. The AG's office also gets notified.
Translation: if you handle customer data and get breached, you have a legal clock running. Items #3 (backups) and #12 (IR plan) directly determine whether you meet that deadline gracefully or in panic mode.
What this looks like on a managed plan
If you're already on a managed IT plan, items 1, 3, 4, 5, 6, 7, and 10 should be handled for you — ask your provider for evidence on each. Items 2, 8, 9, 11, and 12 are partnerships: we configure and document, you enforce with your team.
If you're handling this yourself and items 1–5 aren't all "yes," that's where to start this week. For a comparison of doing it yourself vs. outsourcing, read Managed IT vs. Hourly Support in CT.
Want us to run through this checklist on your business — no charge, no pitch? Reach out via the contact page and we'll book 30 minutes.
Need help with this in your business?
Paul Berg, The Tech Doctor — friendly, low-pressure technology help across Connecticut.
Talk to PaulRelated articles
Managed IT Services vs. Hourly IT Support: Which Is Right for Your CT Business?
Hourly support feels cheaper until the third invoice. Here's an honest comparison of managed IT services vs. break-fix for CT small businesses.
IT SupportWhat Does a Managed IT Provider Actually Do? (A Plain-English Guide for CT Businesses)
MSP. RMM. EDR. The acronyms hide a simple job: keep your business running. Here's what a Connecticut managed IT provider actually does each week.
IT SupportHow Much Does Small Business IT Support Cost in Connecticut?
Straightforward Connecticut pricing for hourly, project, and managed IT support — what drives cost, hidden fees to watch, and the questions to ask before you hire.
Comments
Be the first to comment.