How to Conduct a Small Business Security Audit

A security audit sounds intimidating — but for small businesses, it doesn’t require a team of consultants or expensive tools. A practical security audit is simply a structured review of your current security posture that identifies gaps, prioritizes what to fix, and creates a roadmap for improvement. Done annually, a security audit is one of the most valuable investments of time your business can make. This guide walks you through conducting your own small business security audit.

What Is a Security Audit and Why Do It?

A security audit is a systematic evaluation of your business’s security controls — the policies, procedures, technologies, and practices that protect your data and systems. Its purpose is to answer three questions:

1. What security controls do we have in place?
2. Are those controls working effectively?
3. What gaps exist that need to be addressed?

Beyond improving security, a documented audit serves important secondary purposes: demonstrating due diligence to cyber insurers, meeting regulatory requirements (HIPAA, PCI-DSS), and providing a baseline for measuring security improvement over time.

Before You Start — Define Your Scope

A security audit covers your entire digital business environment. Before starting, inventory what you’re auditing:

People: All employees, contractors, and vendors with access to business systems

Devices: All computers, laptops, mobile devices, servers, and network equipment

Applications: All software and cloud services used for business purposes

Data: Where sensitive business data is stored, processed, and transmitted

Network: Internet connections, Wi-Fi, and any network infrastructure

The Small Business Security Audit Checklist

Section 1 — Access Control and Identity

Review how employees access business systems and whether those access controls are appropriate:

• ☐ User account inventory: List all user accounts across all systems. Are there any accounts that belong to former employees? Any shared accounts?
• ☐ Principle of least privilege: Does each employee have only the access they need for their role? Are any standard employees running with administrator privileges?
• ☐ MFA deployment: Is MFA enabled on email, VPN, cloud services, and financial accounts? What percentage of accounts have MFA?
• ☐ Password policy compliance: Are password manager and strong password requirements being followed? When were passwords last changed after any suspected compromise?
• ☐ Offboarding process: When employees leave, is account access revoked immediately? Check recent departures.
• ☐ Default credentials: Are any systems still running with default usernames and passwords?

Section 2 — Endpoint Security

Evaluate the security of every device used for business:

• ☐ Endpoint protection coverage: Is antivirus/EDR installed and active on every device? Check the management console — are any devices offline or showing protection errors?
• ☐ OS and software updates: Are all operating systems and critical applications patched? Check for devices running unsupported OS versions (Windows 10 reaches end-of-life October 2025).
• ☐ Disk encryption: Is full disk encryption enabled on all laptops and computers containing business data?
• ☐ Screen lock: Are all devices configured to lock automatically after 5–10 minutes of inactivity?
• ☐ Mobile devices: Are business smartphones enrolled in MDM? Are they encrypted and PIN-protected?
• ☐ Unauthorized software: Is there unapproved software installed on business devices? Review installed programs list on a sample of machines.

Section 3 — Network Security

• ☐ Router admin credentials: Have default admin credentials been changed on routers and network equipment?
• ☐ Firmware: Is network equipment firmware current?
• ☐ Wi-Fi encryption: Are all wireless networks using WPA2 or WPA3?
• ☐ Guest network: Is there a separate guest network isolated from business systems?
• ☐ Network segmentation: Are high-risk devices (IoT, guest devices) isolated from business systems?
• ☐ Firewall: Is a business-grade firewall in place and properly configured?
• ☐ Remote access: Is RDP disabled or secured behind VPN? Are all remote access points using MFA?
• ☐ DNS filtering: Is DNS filtering in place to block known malicious domains?

Section 4 — Data Protection

• ☐ Data inventory: Do you know where all sensitive business data is stored? Customer records, financial data, employee data?
• ☐ Data classification: Is sensitive data treated differently from general business data?
• ☐ Backup status: When were backups last tested? Are backups running successfully? Is there an offsite or cloud copy?
• ☐ Data sharing: Are employees sharing sensitive data appropriately — only to authorized parties, using secure methods?
• ☐ Data disposal: When devices are retired, is data properly wiped before disposal or destruction?
• ☐ Cloud storage permissions: Review sharing settings on cloud storage (Google Drive, OneDrive) — are any files or folders shared publicly or with “anyone with the link”?

Section 5 — Email and Communications Security

• ☐ Email authentication: Are SPF, DKIM, and DMARC configured for your domain? Check using MXToolbox.com.
• ☐ Spam filtering: Is advanced spam filtering enabled on your email platform?
• ☐ Email forwarding rules: Check all email accounts for unauthorized forwarding rules — a common indicator of compromise.
• ☐ Sensitive data in email: Are employees sending sensitive data (SSNs, card numbers, health info) via unencrypted email?

Section 6 — Policies and Procedures

• ☐ Acceptable use policy: Is there a written AUP? Have all employees signed it?
• ☐ Password policy: Is there a written password policy?
• ☐ Incident response plan: Is there a documented plan for responding to a security incident? When was it last reviewed?
• ☐ Vendor management: Are security requirements included in vendor contracts? Are BAAs in place where required?
• ☐ Security training: When did employees last receive security awareness training? Are phishing simulations conducted?

Section 7 — Third-Party and Vendor Security

• ☐ Vendor access review: List all third-party vendors with access to business systems or data. Is their access still necessary and appropriate?
• ☐ Vendor security: Do key vendors handling sensitive data have adequate security practices?
• ☐ Software supply chain: Are all software vendors reputable? Are any applications end-of-life with no security updates?

Scoring and Prioritizing Your Findings

After working through the checklist, you’ll have a list of gaps. Prioritize remediation based on two factors: likelihood of exploitation and potential impact.

Fix immediately (high risk):

• Any system accessible from the internet without MFA
• Former employee accounts still active
• Missing backups or untested backups
• Endpoint protection missing on any device
• Default credentials on any network equipment

Fix within 30 days (medium risk):

• Missing DMARC configuration
• Unpatched systems
• No guest network separation
• No written incident response plan

Fix within 90 days (lower risk):

• Policy documentation gaps
• Vendor access reviews
• Security training schedule establishment

Documenting Your Audit

Create a simple audit report documenting:

• Date of audit
• Scope covered
• Findings for each section
• Risk rating for each finding
• Remediation owner and target date
• Overall security posture assessment

This document is valuable for cyber insurance applications, regulatory compliance, and tracking progress over subsequent annual audits.

When to Get Outside Help

A self-assessment covers the basics. For deeper technical assessment, consider engaging:

• Vulnerability assessment: Automated scanning of your network and systems for known vulnerabilities. $500–$2,000 from a managed security provider.
• Penetration test: Ethical hackers actively attempt to breach your systems to find gaps automated tools miss. $3,000–$15,000 for small business scope.
• vCISO (virtual CISO): Part-time security leadership for businesses that need strategic guidance without a full-time hire. $2,000–$5,000/month.

The Bottom Line

A security audit doesn’t require expensive consultants to be valuable. The checklist in this guide — worked through honestly and documented — gives you a clear picture of where your business stands and what needs to be fixed. Set aside half a day, work through each section, prioritize your findings, and create a 90-day remediation plan. Repeat annually. That discipline, consistently applied, keeps your security posture current as threats and your business evolve.