I’m going to ask you some questions. They’re not comfortable. But answer them honestly, because criminals already know the answers — they’re just waiting for you to keep ignoring them.

When was the last time you checked who still has access to your business email?

Do you know if your ex-employee’s laptop still has your files on it?

Could someone walk into your office right now and plug a laptop into your network?

If you hesitated on any of those, this post is for you.

Why Security Audits Get Ignored

Let’s be honest — nobody wakes up excited to do a security audit. It’s not fun. It doesn’t directly make money. And for a small business owner already wearing every hat, it’s the thing that gets pushed to next month every single month.

The problem is that “never” is how breaches happen. Not dramatic Hollywood hacking. Just someone reusing a password they leaked in a data breach three years ago, clicking a link in a voicemail redirecting as an email, or walking away from a computer that doesn’t lock.

Small businesses are the perfect target. You’ve got valuable data — customer details, bank access, supplier accounts — but you probably don’t have the security guardrails that a larger company has. Hackers know this.

The Audit — What to Check Right Now

Do all of these. Today, not tomorrow.

1. Who Has Access to What?

This is the big one.

  • List every system your business uses. Email, accounting software, bank accounts, social media, file storage, your website, Point of Sale system — everything.
  • For each system, list who has a login. Not just current employees. Former employees too.
  • Remove anyone who shouldn’t have access. If “Jake from three years ago” still has admin access to your accounting software, that’s a problem.

Don’t forget:

  • Shared Wi-Fi passwords (especially in hospitality/retail)
  • Master accounts (the generic “admin” or “office” login everyone uses)
  • Third-party access (your accountant, your web developer, your MSP)

If you don’t have a list, that’s problem one. Make the list. Fix it as you go.

2. Passwords — Get Serious

I know. Everyone hates this topic. But it’s still the number one way businesses get compromised.

  • Are you reusing passwords? If your QuickBooks password is the same as your email password, and your email gets breached, the attacker now owns your finances.
  • Are you sharing passwords? Shared Gmail inboxes, shared logins to the bank — these are common in small business. They’re also a nightmare when something goes wrong and you can’t tell who did what.
  • Get a password manager. Bitwarden is free for a single user and has a cheap team plan. 1Password is another option. Either is better than the spreadsheet on Karen’s desktop called “logins.xlsx”.
  • Prefer authenticator apps over SMS codes for MFA – SMS can be intercepted via SIM swapping. An authenticator app (like Microsoft Authenticator or Google Authenticator) is stronger protection.

The goal: every person has their own login. Every system has a unique password. Nobody’s writing passwords on a Post-it note stuck to their monitor. (You know who you are.)

3. Multi-Factor Authentication — Turn It On

If you only do one thing from this entire post, make it this.

Turn on multi-factor authentication (MFA) on:

  • Email (M365, Gmail — whichever you use)
  • Online banking
  • Accounting software
  • Cloud storage (OneDrive, Google Drive, Dropbox)
  • Social media accounts
  • Anything with customer data

MFA means even if someone gets your password, they still can’t log in without approving it on your phone. It blocks the vast majority of automated attacks.

Microsoft 365 makes this relatively straightforward — we covered MFA setup in a previous post. email me if you need help.

4. Backups — Test Them

We covered backups in a previous post, so I won’t rehash the whole thing. But the audit question is simple: When did you last test a restore?

If the answer is “never” or “I don’t remember,” your backups might not actually work. Backups that you haven’t tested are just hope with extra steps.

Pick a file from three months ago. Restore it. Confirm it works. Do the same thing next month. Build it into your routine.

Make sure at least one backup is offline or protected from deletion – ransomware that gets into your network can also wipe cloud backups.

5. Devices — What’s Connected?

Walk around your office. Count every device that connects to your network — computers, printers, phones, tablets, that random Raspberry Pi someone installed for a project two years ago.

Ask yourself:

  • Are they all running current software? (Windows Updates, macOS updates, firmware on the router)
  • Do they all have passwords/PINs?
  • Do they lock automatically after a few minutes of inactivity?
  • Are they encrypted? (BitLocker on Windows, FileVault on Mac)
  • Is security software active on all devices? (Microsoft Defender is free and built into Windows)

That old Windows 10 machine in the back office that “still works fine”? It’s a liability. If it’s running an unsupported operating system, it has known vulnerabilities that will never be patched. Replace it or isolate it from the network.

6. Physical Security — The Forgotten Layer

You can have the best passwords in the world, but if someone can walk into your server room, none of it matters.

  • Is your server cupboard locked?
  • Do you have a guest Wi-Fi network separate from your business machines?
  • What happens when a stranger walks in and says “I’m here to fix the printer”? (Social engineering is real — verify, don’t just trust)

This sounds paranoid until the day it isn’t.

How to Make It a Habit

Don’t try to fix everything in one day. Prioritise:

  1. This week: Access audit and MFA everywhere. These are the highest-impact fixes.
  2. This month: Passwords sorted, backups tested, device inventory done.
  3. Ongoing: Quarterly review. Every three months, run through the checklist again. New employees, new devices, new software — things change.

The goal isn’t perfection. It’s raising the bar high enough that automated attacks move on to an easier target.

The Bottom Line

You don’t need a $50,000 security consultant or enterprise-grade tools. You need to spend a few hours going through a checklist and fixing the obvious stuff. Most small business breaches come from the same handful of basic failures — old passwords, no MFA, ex-employees who still have access, unpatched machines.

Fix the basics. You’ll be ahead of 80% of small businesses overnight.


Want a printable security audit checklist you can work through with timestamps and sign-off fields? I’ve put together a full template on Patreon — covering every point above with checkboxes, priority ratings, and quarterly review trackers. Grab it here.