1) Identity & Access
Minimum: turn on MFA everywhere (email, admin portals, VPN).
Better: remove shared admin accounts; least privilege.
Best: enforce conditional access + periodic access reviews.
Free resource
5‑Step SMB Cyber Readiness Checklist
Use this as a quick baseline. If you want help implementing, book a free risk review.
How to use this
Work top to bottom. If you get stuck, focus on the “Minimum” items first.
- Minimum: do this in the next 7 days
- Better: do this in the next 30 days
- Best: build this into your monthly cadence
Tip: print this page to PDF for sharing.
Book a free risk review
We’ll help you prioritize the fastest steps to reduce risk and build a plan your team can execute.
We reply within 24 hours.
2) Patching & Baselines
Minimum: patch internet‑facing systems + endpoints.
Better: monthly patch cadence + critical hotfix process.
Best: hardened baselines + continuous vulnerability review.
3) Backups & Recovery
Minimum: tested backups for critical data (offline/immutable if possible).
Better: restore tests monthly; document recovery steps.
Best: defined RTO/RPO + tabletop recovery exercises.
4) Email & Awareness
Minimum: spam/phish filtering + staff report button.
Better: quarterly training + simulated phishing drills.
Best: role-based training + measurable reporting improvements.
5) Incident Response
Minimum: who to call + how to isolate infected devices.
Better: short IR playbook + contact list + logging basics.
Best: tabletop exercises + post-incident improvements.
Optional: Policy Starter
Document basics: acceptable use, password/MFA, patching, backups, vendor access, and incident response.
Want ACAG to implement this with you?
We’ll prioritize the fastest actions to reduce risk, then build a cadence your team can maintain.