Over 13 years of managing IT security for Texas businesses, I've developed this checklist from real incidents, real breaches I've helped clean up, and the patterns I see every week. This isn't theoretical โ every item on this list exists because I've seen what happens when it's missing.
Section 1: Endpoint Security (8 Points)
- EDR deployed on every endpoint โ Not traditional antivirus. Endpoint Detection and Response (EDR) with behavioral AI. We use SentinelOne and Huntress. Verify: every laptop, desktop, and server has an active agent reporting to a central console.
- All operating systems fully patched โ Windows, macOS, Linux. Patches applied within 72 hours for critical vulnerabilities, 14 days for standard updates. Check: no endpoints running unsupported OS versions (Windows 8.1, Windows Server 2012).
- Local admin rights restricted โ Standard users should not have local administrator privileges. This prevents malware from installing system-level rootkits.
- Full-disk encryption enabled โ BitLocker (Windows) or FileVault (Mac) on every device. Recovery keys stored securely by your MSP.
- Automatic screen lock configured โ 5-minute timeout. Prevents unauthorized access to unattended workstations.
- USB device policies enforced โ Block unauthorized USB storage devices via endpoint management policy.
- Mobile Device Management (MDM) active โ Microsoft Intune or equivalent. Remote wipe capability for lost/stolen devices. Enforce device encryption and PIN requirements.
- Application whitelisting/control โ Restrict what software can be installed. Prevents users from installing compromised or unauthorized applications.
Section 2: Identity & Access Management (7 Points)
- MFA enabled on ALL accounts โ Microsoft 365, VPN, admin portals, cloud apps, banking. No exceptions. Use authenticator apps (not SMS when possible). MFA blocks 99.9% of automated attacks.
- Password policy enforced โ Minimum 14 characters. Consider passphrase approach (e.g., "CorrectHorseBatteryStaple"). No forced rotation (NIST guidance) โ change on compromise only.
- Privileged access separate from daily accounts โ Admin tasks require separate admin accounts. Daily work uses standard accounts. This limits blast radius if a daily-use account is compromised.
- Offboarding procedures documented โ When an employee leaves: disable account within 4 hours, revoke all access tokens, change shared passwords, disable VPN access, remote wipe company data from personal devices.
- Conditional Access policies active โ Block sign-ins from risky locations, require MFA for new devices, block legacy authentication protocols.
- Password manager deployed โ 1Password or Bitwarden for all shared credentials. No passwords stored in spreadsheets, sticky notes, or browser-only storage.
- Single Sign-On (SSO) where possible โ Reduce password fatigue and improve security by centralizing authentication through Microsoft Entra ID or equivalent.
Section 3: Email Security (6 Points)
- Advanced email filtering active โ Proofpoint, Guardz, or Microsoft Defender for Office 365. Catches BEC, phishing, malicious attachments, and credential harvesting links.
- SPF, DKIM, and DMARC configured โ DNS records that prevent email spoofing of your domain. DMARC policy should be "reject" โ not just "monitor."
- External email warning banner enabled โ Automatically flags emails from outside your organization. Helps employees recognize impersonation attempts.
- Phishing simulation campaigns running โ Monthly simulated phishing emails to test employee awareness. Track click rates and provide remedial training for repeat clickers. BVTech clients average <5% click rates after 6 months of training.
- Auto-forwarding rules blocked โ Prevent attackers from silently forwarding copies of incoming email to external addresses (a common BEC tactic).
- Attachment sandboxing enabled โ Suspicious attachments detonated in a sandbox before delivery. Catches zero-day malware that signature-based scanning misses.
Section 4: Network Security (7 Points)
- Firewall with active threat intelligence โ Next-gen firewall (not just a consumer router). Intrusion detection/prevention, geo-blocking, application-aware rules.
- Network segmentation implemented โ Minimum 3 VLANs: corporate, guest Wi-Fi, IoT/cameras. PCI DSS environments need additional segmentation for cardholder data.
- DNS filtering active โ Blocks access to known malicious domains, phishing sites, and inappropriate content at the DNS level.
- Wi-Fi using WPA3 or WPA2-Enterprise โ Guest network with captive portal and bandwidth limits. Corporate Wi-Fi with certificate-based authentication.
- Remote access via VPN or Zero Trust โ No RDP directly exposed to the internet. VPN with MFA or Zero Trust Network Access (ZTNA) for remote workers.
- Network monitoring active โ SNMP monitoring on all switches, access points, and firewalls. Alerts for unusual traffic patterns, port scans, or unauthorized devices.
- Firmware current on all network devices โ Routers, switches, access points, firewalls. Outdated firmware is a common entry point for attackers.
Section 5: Data Backup & Recovery (6 Points)
- 3-2-1-1-0 backup strategy implemented โ 3 copies, 2 media types, 1 offsite, 1 immutable, 0 errors (verified by test restores).
- Automated daily backups running โ Image-based backups for servers, file-level for workstations, M365 backup for cloud data (Microsoft does NOT back up your data by default).
- Weekly test restores performed โ Verify that backups are actually recoverable. A backup that hasn't been tested is not a backup.
- Immutable backup copy maintained โ At least one backup copy that cannot be modified or deleted โ even by an administrator. This is your ransomware safety net.
- Recovery Time Objectives (RTO) defined โ How long can your business survive without IT systems? 4 hours? 24 hours? Your backup solution must meet this target.
- Disaster recovery plan documented and tested โ Written procedures for full recovery. Tested annually at minimum. Key staff know their roles without reading the document.
Section 6: Compliance & Documentation (4 Points)
- Acceptable Use Policy signed by all employees โ Defines appropriate use of company technology, data handling requirements, and consequences for violations.
- Incident Response Plan documented โ Detect โ Contain โ Eradicate โ Recover โ Review. Contact lists, communication templates, legal/regulatory notification requirements.
- Industry-specific compliance verified โ HIPAA risk assessment (healthcare), PCI DSS SAQ (payment processing), TX Identity Theft Act compliance (all businesses with personal data).
- Vendor access documented and reviewed โ List all third-party vendors with access to your systems. Review access quarterly. Require MFA and audit logging for vendor connections.
Section 7: Employee Training & Culture (4 Points)
- Security awareness training completed by all staff โ Annual minimum, quarterly recommended. Cover phishing, social engineering, password hygiene, physical security, data handling.
- Phishing reporting mechanism in place โ One-click "Report Phish" button in email client. Reward reporting, never punish for reporting false positives.
- Physical security basics addressed โ Clean desk policy, visitor badges, server room locked, screen privacy filters for public-facing workstations.
- Security champion identified per department โ One person per team responsible for reinforcing security culture and escalating concerns.
How to Use This Checklist
Score each item: 2 = fully implemented and verified, 1 = partially implemented, 0 = not implemented. Maximum score: 84. Here's how to interpret your results:
| Score Range | Assessment | Priority |
|---|---|---|
| 70-84 | Strong security posture | Maintain and optimize |
| 50-69 | Moderate โ significant gaps exist | Address gaps within 90 days |
| 30-49 | Weak โ high risk of breach | Immediate remediation needed |
| 0-29 | Critical โ unprotected | Emergency intervention required |
If your score is below 70, I'd recommend scheduling a free IT assessment with BVTech. We'll walk through each item, identify your specific gaps, and provide a prioritized remediation plan โ no obligation, no pressure.
โ Our Cybersecurity Services
โ Complete Texas SMB IT Guide
โ Case Studies
โ Managed IT Services
โ Free IT Assessment
โ More IT Insights
Frequently Asked Questions
Multi-factor authentication (MFA) on all business accounts is the single highest-impact measure. Microsoft reports that MFA blocks 99.9% of automated attacks. Combined with EDR, these two measures prevent the vast majority of breaches targeting SMBs.
Monthly phishing simulations plus quarterly formal training sessions. BVTech provides ongoing security awareness training with tracked completion rates. Businesses training monthly see 70% fewer successful phishing attacks than those training annually.
A documented procedure for detecting, containing, eradicating, and recovering from cybersecurity incidents. It defines roles, communication protocols, technical steps, and compliance requirements. BVTech creates customized incident response plans for all managed clients.
Jordan Polasek
Founder & Managing Partner of BVTech LLC since 2013. With 13+ years of hands-on IT experience serving Texas businesses, Jordan specializes in cybersecurity, cloud architecture, and enterprise networking. He holds a 4.0 GPA in Cloud Computing, is AWS certified, and won the SuperOps MSP Award for Solo MSP of the Year in 2023. Jordan is a Microsoft CSP Reseller Partner and AT&T Business partner who actively mentors college students pursuing IT careers.
AWS Certified
Microsoft CSP Partner
AT&T Business Partner
SuperOps MSP 2023
4.0 GPA Cloud Computing
13+ Years Experience