The Tennessee Small Business Cybersecurity Checklist

Stolen and reused passwords are behind the large majority of business breaches. Locking down who can sign in — and how — is the single highest-return area on this list.

• Enforce multi-factor authentication (MFA) on every account

  Email, banking, remote access, line-of-business apps — all of it. Where the option exists, use phishing-resistant MFA (passkeys or FIDO2 security keys) rather than SMS codes, which can be intercepted.

• Separate admin accounts from everyday accounts

  The account used to read email should never be the account that can change company-wide settings. A compromised day-to-day login should not hand an attacker the keys to the whole environment.

• Roll out a password manager and kill password reuse

  One breached personal site becomes your incident the moment an employee reused that password at work. A managed password manager makes unique, strong passwords the path of least resistance.

• Remove access the day someone leaves

  Offboarding should disable accounts, revoke sessions, and reclaim devices on the employee's last day — not weeks later. Former-employee logins are a quiet, common breach vector.

• Review who can access what every quarter

  Permissions accumulate. Schedule a quarterly review of admin rights, shared mailboxes, file-share access, and third-party app connections, and strip anything no longer needed.

Every laptop, desktop, and phone that touches company data is a way in. Modern endpoint protection and disciplined patching close the doors attackers actually use.

• Run EDR, not just consumer antivirus

  Endpoint Detection and Response watches behavior and can isolate a compromised machine automatically. Signature-only antivirus misses the modern attacks that matter.

• Patch operating systems and apps within days

  Attackers weaponize new vulnerabilities within days of disclosure. Aim to apply critical patches on a fixed weekly cadence, not whenever someone gets around to it.

• Encrypt every laptop and mobile device

  BitLocker on Windows and FileVault on Mac turn a stolen or lost device from a data breach into an inconvenience. Confirm encryption is actually on — it is not always the default.

• Get off Windows 10

  Windows 10 reached end of support on October 14, 2025. Unpatched machines are now a cyber-insurance disqualifier and a standing ransomware risk. Inventory the fleet and upgrade or replace.

• Require auto-lock and strong screen passcodes

  Devices should lock automatically after a few idle minutes and require a real passcode or biometric. This is a free control that closes the 'walked away from the desk' gap.

Email is still the front door for most attacks — phishing, business email compromise, and invoice fraud. Layered email defenses plus trained people stop the overwhelming majority.

• Turn on advanced email filtering

  The default spam filter is not enough. A proper email security gateway scans links and attachments at delivery and at click time, and catches impersonation attempts.

• Publish SPF, DKIM, and DMARC for your domain

  These DNS records stop criminals from sending email that looks like it came from your company. Without them, your domain can be spoofed against your own customers.

• Verify every payment or banking change out of band

  Any request to change bank details, wire funds, or update direct deposit gets confirmed by a phone call to a known number — never by replying to the email. This stops most invoice and payroll fraud.

• Train staff to spot phishing — and test them

  Run short, regular security-awareness training plus simulated phishing. People are the last line of defense; treat that line as something you maintain, not something you hope for.

• Flag external email with a banner

  A simple 'This message came from outside the organization' banner gives employees an instant cue to slow down on the messages most likely to be an attack.

Backups are what turn a ransomware attack from a business-ending event into a bad week. The catch: a backup you have never restored from is a guess, not a safety net.

• Follow the 3-2-1 rule

  Keep three copies of your data, on two different types of media, with one copy off-site. It is the baseline that survives hardware failure, theft, and site-level disasters.

• Keep one immutable or air-gapped copy

  Modern ransomware hunts for and deletes backups. At least one copy must be immutable or air-gapped so it cannot be encrypted or erased even if an attacker gets admin rights.

• Back up Microsoft 365 and Google Workspace separately

  Microsoft and Google keep your service running — they do not guarantee recovery of email and files you lose to deletion, ransomware, or a compromised account. That is your responsibility.

• Test a real restore at least quarterly

  Actually recover files and a system from backup on a schedule. Most backup failures are discovered during a crisis, when it is far too late to fix them.

• Write down your RTO and RPO

  Decide how much downtime (Recovery Time Objective) and how much data loss (Recovery Point Objective) the business can tolerate, then confirm your backup design actually meets those numbers.

The network is the perimeter and the plumbing. A handful of disciplined choices here removes the exposed entry points attackers scan the internet for every day.

• Run a business-grade firewall and keep its firmware current

  A consumer router is not a business firewall. Use proper hardware, keep firmware patched, and review the rule set so nothing is exposed that does not need to be.

• Segment guest Wi-Fi and IoT onto separate VLANs

  Cameras, printers, smart devices, and guest traffic should never share a network with your servers and workstations. Segmentation stops one cheap device from becoming a path to everything.

• Close exposed remote desktop (RDP)

  RDP open to the internet is one of the most common ransomware entry points. Put remote access behind a VPN or, better, a Zero Trust access service — never directly on the public internet.

• Change every default credential

  Firewalls, switches, access points, cameras, NAS devices — all ship with known default passwords. Change them all, and disable accounts you do not use.

• Move toward Zero Trust access

  Where you can, replace always-on VPNs with Zero Trust Network Access, which verifies the user and device for each connection instead of trusting anyone already 'inside' the network.

Tennessee businesses answer to a real set of obligations — state breach-notification law plus whatever federal framework fits your industry. Knowing which ones apply is half the battle.

• Know which rules apply to you

  Tennessee's data breach notification law applies to nearly every business. On top of that: HIPAA for healthcare, the FTC Safeguards Rule for 'financial institutions' (defined broadly), PCI DSS if you take cards, and CMMC for defense contractors.

• Inventory where sensitive data lives

  You cannot protect data you cannot find. Map where customer records, financial data, health information, and credentials are stored, copied, and sent — including in email and personal devices.

• Write a Written Information Security Plan (WISP)

  The FTC Safeguards Rule and IRS Publication 4557 require a documented security plan. Even where it is not mandatory, a WISP is what turns ad-hoc habits into an auditable program.

• Minimize what you keep

  You cannot lose what you never stored. Set retention limits and securely dispose of old records, old laptops, and old backups. Less retained data means a smaller breach when one happens.

• Match your controls to your cyber-insurance policy

  Insurers now require MFA, EDR, tested backups, and training to issue or renew a policy — and a claim can be denied if the controls you attested to were not actually in place. Confirm you meet what you signed.

Tools fail quietly without process behind them. The last section is about being ready: a plan you have rehearsed, vendors you have vetted, and an outside set of eyes once a year.

• Write and rehearse an incident response plan

  Decide in advance who is in charge during an incident, who to call (IT, insurer, legal, law enforcement), and the first steps to take. Then run a tabletop exercise so it is muscle memory, not improvisation.

• Make security-awareness training continuous

  A once-a-year video does not change behavior. Short, frequent training plus phishing simulations keeps security front-of-mind and measurably reduces click rates over time.

• Vet vendors before granting access

  Your security is only as strong as the partners who can reach your systems and data. Ask vendors how they protect their access, and limit what each one can touch.

• Know your breach-notification clock

  If personal information is exposed, the law gives you a limited window to notify affected people. Knowing the deadline before an incident — not during one — keeps a bad day from becoming a legal problem.

• Get an independent assessment every year

  An outside review catches the gaps that familiarity hides. An annual third-party assessment gives you — and your insurer and auditors — an honest baseline to improve from.