The security baseline SMBs ignore until they get hacked — a 12-item checklist

90% of SMBs that suffered a security incident in 2026 had fewer than 8 of these 12 items in place. Here is the minimum viable security baseline for an SMB — no jargon, with deadline and priority.

Por Victhor Araújo

Victhor Araújo

Most small and medium businesses only discover they were insecure on the day they get hacked. In the post-mortem, three sentences repeat: "we thought this was already configured", "nobody owned this", and "it was on the next quarter's plan".

SMB security isn't about buying fancy products. It's about doing the basics — and doing them early. This checklist is 12 items that ~90% of hacked companies in 2026 didn't fully have in place. None require expensive vendors. All can be done in 90 days.

For founders, CTOs, and operators in SMBs who want to cover the minimum before an incident forces the conversation.

A checklist is the cheapest way to guarantee no critical item got forgotten

📋 The 12-item checklist

Each item has **priority** (P0 = first 30 days, P1 = 60 days, P2 = 90 days) and **default owner**.

• MFA on 100% of admin accounts (email, cloud, bank, GitHub, AWS, Stripe). P0. Owner: IT/CTO.
• Corporate password manager with shared vault. Ends the era of "password in a spreadsheet". P0. Owner: ops.
• SaaS inventory and who has access to what. A spreadsheet works — but it has to exist. P0. Owner: ops.
• Automated, tested backup of critical databases. A backup nobody tested is fiction. P0. Owner: tech lead.
• Centralized production logs (even basic CloudWatch). No logs, no forensics. P1. Owner: tech lead.
• Automatic rotation of production credentials every 90 days. Cron + secrets manager. P1. Owner: tech lead.
• Dependency vulnerability scanning (Dependabot, Snyk free tier, etc.). Runs automatically on PR. P1. Owner: tech lead.
• Documented onboarding/offboarding for employees with access checklist. P1. Owner: HR + IT.
• Device policy: disk encryption and basic MDM (even free, like Apple Business Essentials). P2. Owner: IT.
• Quarterly phishing training. Can be free (Google, Microsoft, KnowBe4 free tier). P2. Owner: HR.
• Incident response plan — who calls who, in what time, in what order. 1 page, reviewed yearly. P2. Owner: CTO + legal.
• Light yearly audit: someone external looks at these 11 items once a year. Can be a vendor or a peer at another company. P2. Owner: CEO.

Every open CVE and every leaked credential is a door waiting to be opened

🚨 Why item 11 (response plan) is the most underrated

On incident day, three things decide the size of the damage: (1) you discover it fast, (2) you know who to call, (3) you communicate before TechCrunch does.

Most companies fail at item 2. They don't know if they call cloud provider first, legal, the client, insurance, or the police. Every hour lost in that indecision costs heavily — in money, trust, and headlines.

A 1-page plan with 5 names, 5 phone numbers, and 3 severity criteria solves this. Cost to build: 2 hours. Cost of not building: incalculable.

📊 What these 12 items cover (and what they do NOT)

The 12 items are a baseline. They cover ~80% of common SMB attack vectors:

• Credential compromise (items 1, 2, 6, 8).
• Lateral movement via vulnerable dependency (item 7).
• Phishing and social engineering (items 10, 11).
• Accidental data loss (items 4, 5).

They do NOT cover:

• Nation-state or APT attack — those require enterprise-grade.
• Specific compliance (PCI-DSS, HIPAA, SOC 2) — depends on market and clients.
• Full zero-trust — requires more maturity and investment.

📢 Want help implementing this baseline? Revin runs these 12 items as part of our Security Foundations package in 60-90 days.

🎯 Conclusion: the baseline exists so you don't reach advanced naked

The security story that ends badly always starts with "we thought the basics were handled". The 12 items in this checklist don't make you invulnerable — they make you a worse target than the company next door. And in opportunistic attacks, that's what decides.

Print it. Pin it on the CTO's wall. Set deadlines. Do the P0s in the next 4 weeks. P1 and P2 go on the quarter's roadmap. In 90 days, you're in a different risk category.

📢 Want help executing with a senior squad? Book a Diagnostic Sprint and we'll prioritize together.