Security Education

Data Breach Prevention Checklist for Small Businesses

By DeadVault Team
Data Breach Prevention Checklist for Small Businesses

Small businesses are disproportionately targeted by cybercriminals. According to Verizon's Data Breach Investigations Report, 43% of cyberattacks target small businesses, yet only 14% are prepared to defend themselves. The average cost of a data breach for a small business exceeds $120,000 — enough to shut down many companies permanently.

The good news is that most breaches are preventable with basic security measures. This checklist covers the essential steps every small business should take to protect sensitive data.

Document and File Security

Stop Using Email for Sensitive Documents

Email is the single largest attack vector for small businesses. Phishing attacks, compromised accounts, and intercepted messages account for the majority of document-related breaches. Switch to encrypted document sharing for anything containing personal information, financial data, or confidential business information.

  • Audit your email: search your sent folder for attachments containing SSNs, account numbers, or other sensitive data
  • Establish a policy: no sensitive documents via email, no exceptions
  • Provide an alternative: tools like DeadVault make secure document sharing as easy as sending an email, with encryption and automatic expiration built in

Encrypt Sensitive Files at Rest

Files stored on your computers, servers, and cloud storage should be encrypted. If a device is stolen or a server is breached, encryption prevents the attacker from reading the files.

  • Enable full-disk encryption on all company devices (BitLocker for Windows, FileVault for Mac)
  • Use encrypted cloud storage for sensitive business documents
  • Encrypt backups — an unencrypted backup is just as vulnerable as an unencrypted original

Implement Document Expiration

Every document you store is a potential liability in a breach. Implement retention policies and use tools that automatically destroy documents after they have served their purpose. The less data you retain, the less damage a breach can cause.

Access Control

Use Strong, Unique Passwords

  • Require passwords of at least 12 characters
  • Use a password manager (Bitwarden, 1Password, or similar) for the entire team
  • Never reuse passwords across services
  • Change default passwords on all equipment and software immediately

Enable Multi-Factor Authentication (MFA)

MFA is the single most effective security measure you can implement. It prevents the vast majority of account compromise attacks, even when passwords are stolen.

  • Enable MFA on all business email accounts (this is the highest priority)
  • Enable MFA on cloud storage, banking, and any system containing sensitive data
  • Use authenticator apps (Google Authenticator, Authy) rather than SMS-based MFA when possible

Apply Least Privilege

Employees should only have access to the systems and data they need for their specific role. When an employee changes roles or leaves, update their access immediately.

Employee Training

Phishing Awareness

Over 90% of successful cyberattacks begin with a phishing email. Train employees to recognize phishing attempts:

  • Check sender addresses carefully — look for slight misspellings or unusual domains
  • Be suspicious of urgent requests, especially those involving money transfers or password changes
  • Never click links in unexpected emails — go directly to the website instead
  • Report suspected phishing attempts to your IT team or security point person

Device Security

  • Lock screens when stepping away from devices
  • Do not use public Wi-Fi for business activities without a VPN
  • Do not plug in unknown USB devices
  • Report lost or stolen devices immediately

Network and System Security

Keep Software Updated

Software updates often include patches for known security vulnerabilities. Delaying updates leaves your systems exposed to attacks that exploit those vulnerabilities.

  • Enable automatic updates on all operating systems and software
  • Replace end-of-life software that no longer receives security updates
  • Update firmware on routers, printers, and other network devices

Use a Firewall and Antivirus

  • Ensure your network firewall is enabled and properly configured
  • Install reputable antivirus software on all company devices
  • Consider a DNS-based security service (like Cloudflare Gateway) for additional protection

Secure Your Wi-Fi

  • Use WPA3 encryption (or WPA2 at minimum)
  • Change the default router admin password
  • Create a separate guest network for visitors
  • Hide your business network SSID if practical

Backup and Recovery

Follow the 3-2-1 Rule

Maintain three copies of important data, on two different types of media, with one copy stored off-site. This protects against hardware failure, ransomware, theft, and natural disasters.

  • Automate backups — manual backups get forgotten
  • Test restoration regularly — a backup you cannot restore is useless
  • Encrypt backup data

Incident Response

Have a Plan Before You Need One

Create a written incident response plan that covers:

  • Who to contact (IT support, legal counsel, insurance provider, law enforcement)
  • Steps to contain the breach (isolate affected systems, change credentials)
  • Notification requirements (many states require breach notification within specific timeframes)
  • Documentation procedures (record everything for insurance claims and regulatory compliance)

Start With the Highest-Impact Items

If this checklist feels overwhelming, start with these three actions that prevent the majority of breaches: enable MFA on all email accounts, stop sending sensitive documents via email and switch to an encrypted platform like DeadVault, and train employees on phishing recognition. These three steps alone will dramatically reduce your breach risk.

Share documents securely with DeadVault

Encrypted vaults with automatic expiration. No more risky email attachments.

Get Started
← Back to all posts