The SMB Cybersecurity Hygiene Checklist: 7 Gaps Attackers Exploit

Most breaches at small and mid-sized businesses don’t start with a sophisticated zero-day exploit. They start with something mundane: a former employee’s account that was never disabled, a server that missed three months of patches, or a backup that hasn’t been tested since it was configured. The 2024 Verizon Data Breach Investigations Report found that over 60% of breaches at smaller organizations involved basic security failures, not advanced attack techniques. These are gaps your team can close this quarter with the right checklist and a few hours of focused work.

Here are seven of the most common hygiene gaps we find during security assessments at Texas and Oklahoma SMBs, along with specific steps to fix each one.

1. Unrevoked Access After Employee Departures

When someone leaves your company, IT typically disables their email and collects their laptop. But that person may still have active credentials in your firewall console, your CRM, your cloud infrastructure, and a dozen SaaS applications that live outside your identity provider. We covered this problem in depth in our admin access audit guide, and the pattern is remarkably consistent: companies disable the obvious accounts and miss the rest.

The risk is straightforward. A former employee’s active credentials are a direct path into your systems. Even if the departing employee isn’t malicious, those credentials can be harvested in a data breach at a third-party service and used by someone else entirely.

How to close it this quarter:

• Build a complete offboarding checklist that covers every system where employees have accounts, not just email and Active Directory.
• Run a one-time audit of all admin and user accounts across your critical systems. Match every account to a current employee. Disable anything that doesn’t match.
• Set a policy: access revocation must be completed within 24 hours of a departure, across all systems.

2. Incomplete MFA Coverage

Most businesses we work with have multi-factor authentication turned on somewhere. The problem is “somewhere” isn’t “everywhere.” MFA on Microsoft 365 email but not on VPN. MFA on the main admin account but not on the backup admin. MFA on the primary identity provider but not on standalone SaaS apps that employees log into with passwords.

Attackers know which doors are locked and which aren’t. Credential-stuffing tools test stolen username/password combinations against every login they can find. If your VPN, your remote desktop gateway, or your accounting software doesn’t require a second factor, those are the entry points attackers will use.

How to close it this quarter:

• Pull MFA enrollment reports from Entra ID, Duo, or whatever identity provider you use. Identify every account that can authenticate without a second factor.
• Prioritize coverage in this order: all admin accounts first, then VPN and remote access, then email, then SaaS applications that hold financial or customer data.
• Enforce conditional access policies that block sign-in attempts without MFA, rather than simply making MFA optional. Optional MFA is the same as no MFA.
• Document any exceptions (break-glass accounts, service accounts that can’t support MFA) and apply compensating controls like IP restrictions and enhanced logging.

3. Patching Delays on Critical Systems

Most SMBs don’t have a zero-day problem. They have a 90-day problem. Patches for known, actively exploited vulnerabilities sit uninstalled for weeks or months because nobody owns the patching process, because patches require reboots during business hours, or because “we’ll get to it next maintenance window.” The June 2026 Patch Tuesday alone addressed 208 CVEs across Microsoft products, including several that were already being exploited in the wild.

CISA’s Binding Operational Directive 25-01 set a precedent by requiring federal agencies to remediate cloud misconfigurations within specific timeframes, and their Known Exploited Vulnerabilities catalog tracks the exact vulnerabilities attackers are using right now. If a vulnerability appears in that catalog and your systems are unpatched, you’re running with a known open door.

How to close it this quarter:

• Assign a single person or team as the owner of patch management. If it’s nobody’s job, it doesn’t get done.
• Implement automated patch management for operating systems and common applications. Automation handles the 90% of patches that are routine, freeing your team to focus on the ones that require testing.
• Set patching SLAs based on severity: critical and actively exploited vulnerabilities within 72 hours, high-severity within two weeks, everything else within 30 days.
• Track compliance with a dashboard or monthly report. Knowing that 15% of your servers are behind on patches is better than assuming everything is current.

4. Untested Backups

Having backups is not the same as having working backups. We regularly encounter businesses that run nightly backup jobs, receive green status emails every morning, and have never once tested whether those backups can actually restore a full system. When ransomware hits and they need to recover, they discover that their backup data is corrupted, incomplete, or takes four days to restore instead of the four hours they assumed. Our disaster recovery testing guide walks through what a real test looks like.

Cyber insurance carriers have caught on to this gap. Many now require documented evidence of recovery testing, not just backup completion logs, as part of the renewal process. Your cyber insurance checklist should include proof of at least quarterly restoration tests.

How to close it this quarter:

• Schedule a full recovery test before the end of the quarter. Pick a critical system (your file server, your line-of-business application, or your email) and restore it to a test environment from backup. Document the date, scope, time to recovery, and outcome.
• Verify that your backups include everything you’d need to rebuild: data, system configurations, application installers, and credentials stored in password managers.
• Confirm that at least one copy of your backups is stored offline or in an immutable format. Ransomware that encrypts your production systems will also encrypt any backups it can reach over the network.
• Set a quarterly cadence for recovery testing going forward. Put it on the calendar. Treat it like a fire drill.

5. No Security Awareness Training (or Training That Nobody Remembers)

Phishing is still the most common initial access vector for SMB breaches. Your employees receive phishing emails every day, and the quality of those emails has improved dramatically with generative AI tools that produce convincing, grammatically correct messages tailored to specific industries and roles. A single click on a well-crafted phishing link can deliver malware, harvest credentials, or initiate a business email compromise that leads to wire fraud.

Annual compliance training that employees click through in January and forget by February does not meaningfully reduce this risk. Effective security awareness training is ongoing, uses realistic phishing simulations, and creates a culture where employees report suspicious messages rather than just deleting them.

How to close it this quarter:

• Launch a phishing simulation campaign to establish a baseline click rate. If more than 15% of employees click the simulated phishing link, you have a training gap.
• Move to monthly or bi-monthly training modules instead of a single annual session. Short, focused modules (10 to 15 minutes) on specific topics like invoice fraud, credential harvesting, and QR code phishing are more effective than hour-long annual presentations.
• Create a simple reporting process: a “Report Phishing” button in Outlook, a Slack channel, or an email alias. Reward reporting rather than punishing clicks.

6. No Visibility Into What’s on Your Network

You can’t protect devices you don’t know about. Many SMBs lack a current inventory of what’s actually connected to their network: every laptop, desktop, server, printer, IoT device, and personal phone on the corporate Wi-Fi. When a new vulnerability drops and you need to know how many devices are affected, “we think we have about 80 endpoints” isn’t an answer that keeps you safe.

Shadow IT compounds this problem. Employees sign up for SaaS applications with their work email, install browser extensions, connect personal devices to the network, and use file-sharing tools your IT team has never approved. Each unmanaged application and device is an attack surface you can’t monitor, patch, or secure.

How to close it this quarter:

• Run a network discovery scan to identify every device connected to your environment. Compare the results to your asset inventory. Flag anything that doesn’t match.
• Implement endpoint management (Microsoft Intune, ConnectWise, or similar) that provides continuous visibility into device health, patch status, and security agent coverage.
• Establish a policy for SaaS application approval and review your identity provider’s sign-in logs to identify applications employees are using that IT hasn’t sanctioned.
• If your managed IT provider isn’t giving you a monthly report that includes device count, patch compliance, and security agent coverage, ask for one.

7. No Incident Response Plan (or One That’s Never Been Practiced)

When a security incident happens, your team’s first instinct should not be to figure out who to call. Who contacts your insurance carrier? Who handles employee communications? Who decides whether to shut down email? Who preserves forensic evidence? If those questions don’t have documented answers, your response will be slower, more expensive, and more damaging than it needs to be.

An incident response plan doesn’t need to be a 50-page document. It needs to cover four things: who is on the response team (internal and external contacts), what qualifies as an incident versus a routine IT issue, what steps to take in the first hour, and who has authority to make containment decisions like isolating systems or shutting down services.

How to close it this quarter:

• Write a one-page incident response plan covering the four elements above. If you already have one, review it and verify that every phone number, email address, and vendor contact is still current.
• Run a 30-minute tabletop exercise with your leadership team. Pick a scenario (ransomware on a file server, a compromised email account used for wire fraud) and walk through who does what. The gaps you discover in a tabletop are far cheaper than the ones you discover during a real incident.
• Confirm that your cyber insurance policy information, including your carrier’s incident hotline, is included in the plan and accessible to someone other than the person whose email might be compromised.

Where to Start: The MFA/Patch/Backup Maturity Check

If tackling all seven gaps at once feels overwhelming, start with the three that give attackers the most direct access: MFA, patching, and backups. Rate your organization on each:

MFA maturity:

• Basic: MFA enabled on email only. Other systems use passwords alone.
• Intermediate: MFA enforced on email, VPN, and admin accounts. Conditional access policies block non-MFA sign-ins for those systems.
• Strong: MFA enforced on every system that supports it. Exception accounts documented with compensating controls. Enrollment audited quarterly.

Patching maturity:

• Basic: Patches applied manually when someone remembers. No tracking.
• Intermediate: Automated patching for OS updates. Critical patches applied within two weeks. Monthly compliance report.
• Strong: Automated patching with severity-based SLAs. Critical/exploited within 72 hours. Dashboard tracking across all endpoints and servers.

Backup maturity:

• Basic: Backups run nightly. Status emails reviewed. No restoration testing.
• Intermediate: Quarterly recovery tests documented. At least one offline or immutable backup copy.
• Strong: Quarterly full-system recovery tests with documented RTO. Immutable backups verified. Recovery procedures tested by someone other than the person who configured them.

If you’re at “Basic” on any of these three, that’s your starting point for this quarter. Moving from Basic to Intermediate on MFA, patching, and backups addresses the majority of attack paths that lead to ransomware, data theft, and business email compromise at SMBs.

If your Dallas-Fort Worth business or any of your Texas locations needs help benchmarking where you stand, a security risk assessment gives you the full picture in a few hours.