Cyber Risk Assessment Checklist for Small and Mid Size Companies

Small and mid size companies are targeted more than ever in 2026. Attackers know that many growing businesses move fast, rely heavily on cloud tools, and often have limited security staffing. The good news is that you do not need enterprise complexity to reduce risk. You need a repeatable checklist that helps you spot gaps, prioritize improvements, and build a practical security plan.

This guide provides a detailed cyber risk assessment checklist designed specifically for small and mid size companies. It also explains how to use the checklist step by step, what evidence to collect, and how to turn findings into action.

A cyber risk assessment is a structured review of your technology environment to identify threats, vulnerabilities, control gaps, and business impact. The goal is to understand what could realistically harm your business and what you should fix first.

For small and mid size companies, a risk assessment should feel practical. It should focus on the systems you actually use, the people who actually operate them, and the changes you can actually implement within your budget and timeframe.

A checklist helps you avoid two common problems.

The first problem is trying to do everything at once, which creates overwhelm and slows progress.

The second problem is ignoring core foundations while chasing advanced tools, which leaves major gaps open.

A checklist approach helps you build security in layers. You start with high impact items like identity protection, backups, endpoint security, and monitoring. Then you improve governance, vendor risk, and incident readiness over time.

Use this checklist in three phases:

Phase 1: Discovery - Collect facts, settings, and evidence about your environment.

Phase 2: Evaluation - Mark each item as complete, partial, or missing and document the risk.

Phase 3: Action - Prioritize fixes based on business impact and likelihood, then build a roadmap.

Confirm you can answer these clearly:

□ Do we have a list of mission critical business processes □ Do we know which systems support those processes □ Do we know what downtime would cost per day □ Do we know which data types are most sensitive □ Do we have owners assigned for critical systems and data

Evidence to collect: A simple list of critical processes, systems, data types, and business owners.

Why it matters: If you do not know what is critical, you will prioritize the wrong fixes.

You cannot protect what you cannot see.

□ Do we have an inventory of employee devices including remote devices □ Do we have an inventory of servers and cloud workloads □ Do we have a list of applications and SaaS tools in use □ Do we track internet facing systems such as websites, VPN, remote access, admin portals □ Do we know which vendors connect to our environment

Evidence to collect: Device list, cloud resource list, domain list, and a list of key SaaS tools.

Why it matters: Unknown assets become blind spots where attackers can hide.

Identity is the most common entry point for modern attacks.

□ Is MFA enabled for all users □ Is MFA enforced for all admin and privileged accounts □ Do admins use separate privileged accounts from day to day accounts □ Do we review access regularly for email, cloud storage, finance tools, and admin panels □ Do we have a joiner mover leaver process to remove access when roles change □ Do we use role based access rather than individual custom permissions □ Do we restrict third party access and use time bound access where possible □ Do we log sign ins and review suspicious login activity

Evidence to collect: MFA enforcement settings, admin role list, access review records, and sign in logs.

Why it matters: Stolen credentials are a top cause of breaches in small and mid size companies.

Endpoints are still a primary attack path and often the starting point for ransomware.

□ Are devices encrypted □ Are operating systems and applications patched on a defined schedule □ Do we use endpoint protection or EDR on all business devices □ Do we restrict local admin rights on laptops □ Do we have remote wipe capability for lost devices □ Do we control USB and risky software installation where needed □ Do we monitor for suspicious behavior such as repeated malware detections or unusual processes □ Do we have a standard build for new devices

Evidence to collect: Patch compliance report, encryption status, endpoint coverage list, and device policy settings.

Why it matters: Endpoint gaps are often exploited through phishing and malware.

Email is the most common way attackers reach users.

□ Do we have phishing protection features enabled in email □ Do we train employees regularly on phishing and fraud □ Do we run phishing simulations or at least awareness checks □ Do employees know how to report suspicious emails □ Do we have rules that restrict external forwarding where appropriate □ Do we monitor mailbox rules for suspicious changes □ Do we protect executive and finance users with stronger controls

Evidence to collect: Email security settings, training records, and a documented reporting process.

Why it matters: Business email compromise and phishing lead to credential theft and financial loss.

Vulnerabilities are unavoidable, but unmanaged vulnerabilities are dangerous.

□ Do we scan systems regularly for vulnerabilities or misconfigurations □ Do we prioritize internet facing and critical system vulnerabilities first □ Do we have a patch schedule and defined exceptions □ Do we track remediation to closure □ Do we remove unsupported software and end of life systems □ Do we secure exposed services such as remote desktop and admin panels

Evidence to collect: Scan summaries, patch schedule, remediation tracking, and exception approvals.

Why it matters: Many attacks rely on known vulnerabilities with available fixes.

Network controls limit lateral movement and reduce blast radius.

□ Do we have firewalls properly configured and reviewed □ Do we restrict remote access to approved methods such as VPN or secure gateways □ Is MFA required for remote access □ Do we segment sensitive systems such as finance servers and production systems □ Do we monitor network activity and suspicious remote sessions □ Do we restrict access to admin interfaces from the internet

Evidence to collect: Firewall rules overview, remote access policy, and segmentation diagram or notes.

Why it matters: Attackers often spread from one system to another after initial access.

Cloud and SaaS are common for SMBs, but misconfigurations create serious exposure.

□ Do we use least privilege access roles in cloud and SaaS platforms □ Do we prevent public access to sensitive storage □ Do we enable logging and auditing in cloud platforms □ Do we review external sharing settings in cloud storage □ Do we review admin roles and risky integrations □ Do we have standards for new cloud resources and approvals □ Do we track where sensitive data is stored

Evidence to collect: Cloud role list, storage access settings, audit log settings, and sharing settings.

Why it matters: Cloud exposure is often caused by permission mistakes not complex attacks.

You cannot respond quickly if you cannot see what is happening.

□ Do we collect logs from identity provider, email, endpoints, and cloud platforms □ Do we have alerting for suspicious logins and new admin creation □ Do we have alerting for unusual endpoint behavior □ Do we have a defined escalation process when an alert occurs □ Do we have someone responsible for monitoring and response after hours □ Do we store logs securely with retention that supports investigations

Evidence to collect: Log sources list, alert rules list, escalation workflow, and retention settings.

Why it matters: Many companies discover incidents late because monitoring is limited or inconsistent.

Recovery is often the difference between a bad day and a business disaster.

□ Do we back up critical systems and important data □ Are backups protected with strong access controls and MFA □ Are backups encrypted □ Do we test restores regularly □ Do we document RTO and RPO goals for critical systems □ Do we have a plan for ransomware recovery □ Do we have a documented disaster recovery process and owners

Evidence to collect: Backup reports, restore test records, recovery objectives, and DR documentation.

Why it matters: Backups that are not tested or not protected can fail when you need them most.

Incidents are not only possible, they are expected. Readiness reduces damage.

□ Do we have an incident response plan □ Do we have defined roles and contact lists □ Do we have playbooks for phishing, account takeover, ransomware, and data exposure □ Do we know how to isolate devices quickly □ Do we know how to preserve evidence and logs □ Do we run tabletop exercises at least once a year □ Do we have a communication plan for internal updates and external messaging

Evidence to collect: Incident response plan, playbooks, and tabletop exercise notes.

Why it matters: Without a plan, teams panic, delays happen, and impact grows.

Many SMBs depend on vendors for IT, payroll, SaaS, and services.

□ Do we have a list of vendors with data access or system access □ Do we know what data each vendor handles □ Do we restrict vendor access to least privilege □ Do we review vendor security practices for critical vendors □ Do we define security expectations in contracts where possible □ Do we revoke vendor access when projects end

Evidence to collect: Vendor list, access permissions, and contract security notes.

Why it matters: Third party access can become an indirect entry point.

Policies provide structure so security stays consistent as you grow.

□ Do we have clear password and MFA policies □ Do we have policies for acceptable use and remote work □ Do we document change management for critical systems □ Do we document access approval processes □ Do we maintain a simple risk register and improvement roadmap □ Do we track security training completion and policy acknowledgment

Evidence to collect: Policy documents, training records, and change approval records.

Why it matters: Security must be repeatable, not dependent on memory.

Use a simple rating to keep it practical:

• Complete means it is implemented and enforced consistently • Partial means it exists but has gaps or limited coverage • Missing means it is not implemented or not measurable

Then prioritize based on risk impact and likelihood:

• High impact and high likelihood goes first • High impact and medium likelihood goes second • Medium impact items go into planned improvements • Low impact items can be scheduled later

If you want immediate improvements after completing this checklist, start here:

• Enforce MFA for all users and especially admins • Remove unused accounts and reduce privileges • Patch critical internet facing systems • Secure backups and run a restore test • Enable logging and alerts for suspicious logins and admin changes • Train employees on phishing and create a clear reporting path • Create a basic incident response plan and run a tabletop exercise

These steps reduce risk quickly and build a stronger foundation.

You may want professional help if:

• You have had an incident or near miss • You are preparing for compliance or customer security reviews • You are moving to cloud or expanding quickly • You lack internal time to validate configurations and controls • You want a roadmap that leadership can execute with confidence

A professional assessment also helps ensure findings are evidence based and prioritized correctly.

Security Hawks provides cyber security risk assessment services designed for small and mid size companies that want practical results. The focus is on clarity, prioritization, and measurable improvement. After the assessment, you receive a roadmap that helps you strengthen identity security, reduce endpoint and cloud exposure, improve monitoring, and build reliable recovery readiness.

A cyber risk assessment checklist is one of the most practical ways for small and mid size companies to reduce risk in 2026. You do not need perfection. You need visibility, priorities, and consistent execution.