The 12-control cybersecurity baseline every small business should have by next quarter.

When a small business gets breached, the post-mortem almost always reveals the same handful of missing controls. The good news: you don't need a Fortune-500 security program to close the gap. You need twelve specific things, in roughly the order below, executed by people who care.

We've used this baseline with manufacturers, medical groups, non-profits, and professional-services firms. Most clients have ten of these in place within one quarter, on a total budget that's smaller than a single ransomware payment.

The first four — do these this month

1. Multi-factor authentication, everywhere

MFA on email, MFA on remote access, MFA on every admin account. If a vendor doesn't support MFA in 2026, replace the vendor. This single control prevents the majority of business-email-compromise attacks.

2. Patch management for endpoints and servers

Critical patches within seven days, everything else within thirty. If you don't have a tool that reports on this, you don't actually have patch management — you have hope.

3. Endpoint detection and response (EDR)

Antivirus is necessary but not sufficient. EDR tools detect behaviors, not just signatures, and let you isolate a compromised laptop in seconds rather than hours.

4. Backups that have been tested

An untested backup is a wish. At minimum: daily backups, kept off the production network, with a documented restore that someone has actually performed within the last 90 days.

The next four — done by month two

5. Email filtering and DMARC

A modern email-security tool plus properly configured SPF, DKIM, and DMARC records. This stops the spoofed-CEO emails that ask your bookkeeper to wire $40,000.

6. Privileged access management

No one should be a domain admin or global admin during their normal workday. Separate "admin" accounts, used only when needed, with stronger MFA on those accounts.

7. Security-awareness training

Quarterly, fifteen-minute sessions plus periodic phishing simulations. Your people are not the weakest link — they're your most under-utilized control.

8. Asset inventory

You can't protect what you don't know exists. A current list of devices, users, and software — even an imperfect one — beats the spreadsheet that hasn't been updated since 2024.

The last four — done by month three

9. Documented incident response plan

A two-page plan that names who decides, who calls insurance, who talks to customers, and who handles the technical response. Practice it with a one-hour tabletop exercise.

10. Vendor and SaaS review

List every SaaS tool with access to your data. For each, who has admin access, is MFA enforced, and is the data backed up? You'll find at least three things to fix.

11. Network segmentation

At minimum: guest Wi-Fi separated from corporate Wi-Fi, servers on a different VLAN than user laptops, and IoT devices off the production network entirely.

12. Annual penetration test

Once a year, pay an outside firm to try to break in. Not a vulnerability scan — a real test. The findings will pay for the engagement many times over.

---

The goal isn't to be unbreakable. The goal is to be the second-easiest target on your block, with backups that work and a plan for when something does go wrong.

How this maps to your cyber-insurance application

Most carriers in 2026 are asking about ten of these twelve controls on their renewal questionnaires. Implementing them honestly — not just answering "yes" — is the difference between a 30% premium increase and a 20% decrease.

If you'd like help working through the list at your organization, get in touch. The first conversation is free, and most calls end with two or three concrete things you can start tomorrow.