The Cybersecurity Checklist for Organizations Under 20 People
Let me save you from the cybersecurity industry’s favorite sales tactic: fear.
Every week, some vendor publishes a report about how small businesses are “the #1 target” for cyberattacks, followed by a pitch for their $500/month security platform. The reports aren’t wrong — small organizations are targeted, precisely because they’re less protected. But the solution isn’t panic-buying enterprise security tools you can’t afford and won’t use.
The solution is doing the basics well.
I’ve worked in IT long enough to know that most breaches at small organizations aren’t sophisticated nation-state attacks. They’re someone clicking a phishing link. They’re a reused password from a 2019 data breach. They’re a laptop with no lock screen left at a coffee shop.
Here’s your checklist. Seven items. Each one rated by difficulty and impact. Do the first three and you’re already ahead of 80% of organizations your size.
1. MFA on Everything
Difficulty: Easy | Impact: Critical
Multi-factor authentication means that even when someone steals your password — not if, when — they still can’t get in without a second verification.
Turn it on for:
– Email (Microsoft 365, Google Workspace — this is the #1 priority)
– Banking and financial accounts
– Cloud apps (QuickBooks, Salesforce, your CRM, your donor platform)
– Social media accounts (yes, really)
– Any admin or IT account
How to do it: Go to each account’s security settings. Look for “Two-Factor Authentication” or “Multi-Factor Authentication.” Enable it. Use an authenticator app (Microsoft Authenticator or Google Authenticator) instead of SMS when possible — text messages can be intercepted.
Time to implement: 30 minutes per account. One afternoon for your whole organization.
The excuse I hear: “It’s annoying to enter a code every time.”
The reality: It takes six seconds. A ransomware recovery takes six weeks.
2. Password Manager
Difficulty: Easy | Impact: High
If your team is reusing passwords — and statistically, they are — you have a problem. The average person reuses passwords across 5-7 accounts. When one gets breached (and breaches happen constantly), attackers try those credentials everywhere else.
A password manager generates unique, complex passwords for every account and remembers them so your team doesn’t have to.
Our recommendation: Bitwarden. It’s open-source, it’s been independently audited, and it’s free for individuals. The business plan is $4/user/month — cheaper than a single incident response call.
How to deploy it:
1. Sign up for Bitwarden (free tier works for getting started)
2. Install the browser extension on every work computer
3. Have each team member import their saved Chrome/Edge passwords
4. Start generating new passwords for each account going forward
The goal: No one on your team should know any of their passwords. If they can recite it from memory, it’s not strong enough.
3. Endpoint Protection
Difficulty: Easy | Impact: High
Good news: if you’re running Windows 10 or 11, you already have solid antivirus built in.
Windows Defender is actually good now. This isn’t the Windows Defender of 2012. Microsoft has poured resources into it, and independent testing labs (AV-TEST, AV-Comparatives) consistently rate it alongside paid solutions. It runs in the background, updates automatically with Windows Update, and doesn’t nag you to buy a premium version.
What to check:
– Windows Security is turned on (search “Windows Security” in Start menu)
– Real-time protection is enabled
– Virus definitions are up to date (should be automatic)
– Tamper protection is on (prevents malware from disabling Defender)
For Macs: macOS has built-in protection (XProtect, Gatekeeper). It’s decent. If you want extra coverage, Malwarebytes has a solid free scanner.
When you might need more: If you’re handling sensitive data (healthcare, financial, legal), consider a managed endpoint solution like Microsoft Defender for Business ($3/user/month). It adds centralized monitoring so your IT person can see threats across all devices.
But for most organizations under 20 people? Windows Defender, kept updated, is enough.
4. Email Security (SPF/DKIM/DMARC)
Difficulty: Medium | Impact: High
This one sounds technical, but here’s what it actually means: you need to prove to the internet that emails from your domain are actually from you.
Without email authentication, anyone can send emails that look like they come from your domain. Your board chair could receive a convincing email from “director@yournonprofit.org” asking for a wire transfer — and it wasn’t actually from your director.
Three acronyms, three jobs:
-
SPF (Sender Policy Framework): A DNS record that says “only these servers are allowed to send email for our domain.” If you use Microsoft 365, your SPF record should list Microsoft’s servers.
-
DKIM (DomainKeys Identified Mail): A digital signature on your emails that proves they haven’t been tampered with in transit.
-
DMARC (Domain-based Message Authentication, Reporting and Conformance): Tells receiving servers what to do when an email fails SPF or DKIM checks. Start with “monitor” mode (p=none) so you can see what’s happening, then move to “quarantine” or “reject.”
How to check your current setup:
Go to mxtoolbox.com and search your domain. It’ll tell you what’s missing.
Who should set this up:
This is a “call your IT person” task. If you’re on Microsoft 365 or Google Workspace, your provider can help. If you don’t have an IT person — well, that’s what we do.
5. Backup Strategy (The 3-2-1 Rule)
Difficulty: Medium | Impact: Critical
The 3-2-1 rule has been around for decades because it works:
- 3 copies of your data
- 2 different types of storage
- 1 copy offsite
Here’s what that looks like in practice for a small organization:
| Copy | Where | Example |
|---|---|---|
| Original | Your computer/server | Day-to-day files |
| Copy 1 | External drive or NAS | Automated nightly backup |
| Copy 2 | Cloud backup | Backblaze ($7/month), or OneDrive/Google Drive sync |
If you use Microsoft 365 or Google Workspace: Your email and cloud documents are already partially backed up by your provider. But “partially” isn’t “fully.” Microsoft’s shared responsibility model explicitly says you are responsible for your data. Consider a third-party backup like Backupify or Spanning.
The thing people forget: Test your backups. A backup you’ve never restored from is a hope, not a strategy. Once a quarter, pick a random file and restore it. Make sure it actually works.
Ransomware context: Ransomware encrypts your files and demands payment. If you have clean, recent backups that the ransomware can’t reach (offline or immutable cloud), you can tell the attackers to pound sand. Without backups, you’re writing a check.
6. Employee Training
Difficulty: Medium | Impact: Critical
Here’s the uncomfortable truth: phishing is the #1 attack vector for small organizations. Not zero-day exploits. Not sophisticated hacking. Someone clicking a bad link in a convincing email.
And the emails are getting better. AI-generated phishing emails don’t have the spelling errors and awkward grammar that used to give them away. They look legitimate. They reference real projects. They create urgency.
What basic training looks like:
- Quarterly 15-minute refreshers — not annual compliance theater
- Phishing recognition: Check the sender’s actual email address (not just the display name). Hover over links before clicking. When in doubt, go directly to the website instead of clicking the link.
- Reporting culture: Make it safe to say “I clicked something I shouldn’t have.” Speed of reporting is everything. The difference between “we caught it in 10 minutes” and “it spread for 3 days” is the difference between a bad afternoon and a catastrophe.
- Wire transfer verification: Any request to change payment details or send money gets verified by phone call to a known number. Not by replying to the email. Not by calling the number in the email. By calling the number you already have on file.
Free resources:
– KnowBe4 has a free phishing test tool
– Google’s Phishing Quiz (phishingquiz.withgoogle.com) is a good team exercise
– CISA (cisa.gov) publishes free training materials
The culture shift: Security isn’t the IT person’s job. It’s everyone’s job. The receptionist who catches a phishing email is just as important as the firewall.
7. Incident Response Plan
Difficulty: Hard | Impact: High
“Hard” doesn’t mean complicated. It means most organizations skip this one entirely, and then scramble when something happens.
Your incident response plan doesn’t need to be a 50-page document. For an organization under 20 people, it can fit on one page.
Answer these questions and write them down:
- Who do we call first? (IT provider, insurance company, legal counsel)
- What’s the phone number? (Not the email — if email is compromised, email is useless)
- Who has authority to disconnect systems? (Don’t wait for a committee vote while ransomware spreads)
- Where are our backups and how do we access them?
- Who communicates to staff, clients, and the public?
- Do we have cyber insurance? (If not, look into it — policies start around $500/year for small organizations)
Print it out. Put it on the wall next to the fire extinguisher. When something happens, people don’t think clearly. A printed checklist on the wall beats a PDF buried in SharePoint.
The one drill: Once a year, ask the question: “What if we walked in Monday morning and every computer was encrypted?” Walk through your plan. See where the gaps are. Fix them.
The Scorecard
| # | Item | Difficulty | Impact | You Did It? |
|---|---|---|---|---|
| 1 | MFA on everything | Easy | Critical | [ ] |
| 2 | Password manager | Easy | High | [ ] |
| 3 | Endpoint protection | Easy | High | [ ] |
| 4 | Email security (SPF/DKIM/DMARC) | Medium | High | [ ] |
| 5 | Backup strategy (3-2-1) | Medium | Critical | [ ] |
| 6 | Employee training | Medium | Critical | [ ] |
| 7 | Incident response plan | Hard | High | [ ] |
The Bottom Line
If you check off items 1-3, you’re already ahead of 80% of small organizations.
That’s not a guess. It’s based on years of walking into organizations where “password1” was the WiFi password, MFA was “something we’ve been meaning to do,” and the last backup was from when the previous IT guy set it up three years ago.
You don’t need a SOC. You don’t need a SIEM. You don’t need a six-figure security budget.
You need MFA turned on, a password manager deployed, and your endpoints updated. Everything else on this list makes you stronger — but those three will stop the vast majority of attacks that actually hit organizations your size.
Start there. Today. Not next quarter.
Need help implementing any of this? We do exactly this kind of work — right-sized security for organizations that don’t have (or need) a full-time IT team. Contact Flower Insider Technologies and let’s get your basics locked down.
Matt Stoltz is the founder of Flower Insider Technologies, providing managed IT services for small businesses and nonprofits in southern Minnesota and beyond. He believes cybersecurity should be practical, not theatrical.