The small business cloud security checklist: 15 checks before you store customer data | Sentido

The small business cloud security checklist: 15 checks before you store customer data

By Carl Mills - cloud & security engineer • Published 9 July 2026 • Last updated

TL;DR

You don't need a security team; you need the basics done deliberately. The big four: MFA everywhere (blocks most account takeovers, free), one person ≠ one point of failure (no shared logins, remove leavers same-day), backups you've actually restored, and updates turned on. The UK government's breaches survey consistently finds about 4 in 10 businesses detect attacks each year, and US and Australian figures tell the same story - almost all automated, almost all stopped by this list. Nearly everything below is free; the rest is 1-3 days of help.

Accounts & access (the way in)

1. MFA on every account that matters

Cloud console, business email, domain registrar, payment provider, code hosting. Email especially - it's the reset key to everything else. Cost: free. Time: an hour.

2. No shared logins

"The office login" means no audit trail and no way to remove one person's access. Every human gets their own account; every system gets its own credential.

3. Leavers lose access the day they leave

Keep a one-page list of every system with an account. Offboarding = walk the list. The ex-contractor who still has production access is a classic small-business breach story.

4. Least privilege on the cloud account

The marketing freelancer doesn't need billing admin. Owners keep the root/owner account in a drawer (MFA'd, unused) and work from named admin accounts.

5. A password manager for the team

Reused passwords are how one leaked site becomes your breach. £2-4/user/month ends it.

Data (the thing they're after)

6. Know what customer data you hold and where

One paragraph: what you collect, which systems it lives in, who can see it. Privacy law requires this almost everywhere English is spoken - GDPR in the UK/EU, CCPA/CPRA in California, PIPEDA in Canada, the Privacy Act in Australia - and security-wise, you can't protect what you haven't listed.

7. Collect less

Every field you don't collect is a field that can't leak. Date of birth "just in case" is liability, not data.

8. Backups exist - and you've restored one

Turn on provider backups for every database and file store, then do one test restore and note how long it took. An unrestored backup is a rumour. Ransomware's only real answer is a working restore.

9. Nothing sensitive in public buckets or spreadsheets-by-link

"Anyone with the link" is public. Audit your file shares and storage buckets; scanners find open buckets within hours of creation.

10. Encrypt laptops and phones

BitLocker/FileVault plus a PIN turns a stolen laptop from a data breach into a hardware cost.

Systems (the doors and windows)

11. Updates turned on, everywhere

OS, browsers, plugins, dependencies. Most successful attacks exploit vulnerabilities that had patches available for months. Automatic updates are the highest-value setting in security.

12. Your app passes the basics

If you run custom software (including AI-built - see the vibe coding checklist): no secrets in code, server-side permission checks, security headers set. Thirty minutes with a scanner beats an incident.

13. The domain and email are locked down

Registrar account MFA'd, domain transfer lock on, and SPF/DKIM/DMARC records set so criminals can't send invoices as you. (Email spoofing of small firms is rampant precisely because these three DNS records are so rarely set.)

People & paper (the part that fails first)

14. The team knows the two big scams

Invoice redirection ("we've changed bank details") and urgent-boss messages ("buy vouchers, it's urgent"). One rule kills both: verify payment changes and urgent requests on a second channel - a phone number you already had, not one from the email.

15. A one-page incident plan

Who to call, how to take systems offline, where backups are, and when you must report a breach (72 hours to the ICO under UK GDPR; every US state and most countries have their own notification rules). Write it before you need it - our incident playbook is the long version.

The checklist at a glance

#CheckCostBaseline area*
1MFA everywhereFreeAccess control
2No shared loginsFreeAccess control
3Same-day leaver removalFreeAccess control
4Least privilegeFreeAccess control
5Password manager£2-4/user/moAccess control
6Data inventoryFree- (GDPR)
7Collect lessFree- (GDPR)
8Tested backupsUsually incl.-
9No public buckets/linksFreeSecure configuration
10Device encryptionFreeSecure configuration
11Automatic updatesFreeSecurity updates
12App security basicsFree-££Secure configuration
13Domain + email recordsFreeSecure configuration
14Scam awarenessFree-
15Incident planFree-

*Areas map to the UK's Cyber Essentials scheme; the same controls appear in the CIS Controls (widely used in the US and internationally) and underpin SOC 2 - whichever framework your market asks for, this is the shared foundation.

Frequently asked questions

We're tiny - would anyone really attack us?

Nobody attacks you personally; scanners attack everything. Exposed databases and leaked keys get found in hours regardless of company size or country, and roughly four in ten businesses identify attacks or breaches each year in the UK government's survey - US and Australian studies land in the same range.

Should we get certified (Cyber Essentials, SOC 2, ISO 27001)?

When bigger clients start asking, yes. In the UK that usually means Cyber Essentials (from about £300+VAT); in the US, enterprise buyers typically ask for SOC 2; ISO 27001 is the international heavyweight. Do this checklist first and any of them becomes mostly paperwork.

What should we pay a professional for?

The technical checks (9, 12, 13), a review of the rest, and the documentation - typically 1-3 days (£500-£2,000 / roughly $650-$2,600 at 2026 rates). Do checks 1-5 yourselves this week; they're free and they're the biggest wins.

Keep going