The small business cloud security checklist: 15 checks before you store customer data
By Carl Mills - cloud & security engineer • Published 9 July 2026 • Last updated
TL;DR
You don't need a security team; you need the basics done deliberately. The big four: MFA everywhere (blocks most account takeovers, free), one person ≠ one point of failure (no shared logins, remove leavers same-day), backups you've actually restored, and updates turned on. The UK government's breaches survey consistently finds about 4 in 10 businesses detect attacks each year, and US and Australian figures tell the same story - almost all automated, almost all stopped by this list. Nearly everything below is free; the rest is 1-3 days of help.
Accounts & access (the way in)
1. MFA on every account that matters
Cloud console, business email, domain registrar, payment provider, code hosting. Email especially - it's the reset key to everything else. Cost: free. Time: an hour.
2. No shared logins
"The office login" means no audit trail and no way to remove one person's access. Every human gets their own account; every system gets its own credential.
3. Leavers lose access the day they leave
Keep a one-page list of every system with an account. Offboarding = walk the list. The ex-contractor who still has production access is a classic small-business breach story.
4. Least privilege on the cloud account
The marketing freelancer doesn't need billing admin. Owners keep the root/owner account in a drawer (MFA'd, unused) and work from named admin accounts.
5. A password manager for the team
Reused passwords are how one leaked site becomes your breach. £2-4/user/month ends it.
Data (the thing they're after)
6. Know what customer data you hold and where
One paragraph: what you collect, which systems it lives in, who can see it. Privacy law requires this almost everywhere English is spoken - GDPR in the UK/EU, CCPA/CPRA in California, PIPEDA in Canada, the Privacy Act in Australia - and security-wise, you can't protect what you haven't listed.
7. Collect less
Every field you don't collect is a field that can't leak. Date of birth "just in case" is liability, not data.
8. Backups exist - and you've restored one
Turn on provider backups for every database and file store, then do one test restore and note how long it took. An unrestored backup is a rumour. Ransomware's only real answer is a working restore.
9. Nothing sensitive in public buckets or spreadsheets-by-link
"Anyone with the link" is public. Audit your file shares and storage buckets; scanners find open buckets within hours of creation.
10. Encrypt laptops and phones
BitLocker/FileVault plus a PIN turns a stolen laptop from a data breach into a hardware cost.
Systems (the doors and windows)
11. Updates turned on, everywhere
OS, browsers, plugins, dependencies. Most successful attacks exploit vulnerabilities that had patches available for months. Automatic updates are the highest-value setting in security.
12. Your app passes the basics
If you run custom software (including AI-built - see the vibe coding checklist): no secrets in code, server-side permission checks, security headers set. Thirty minutes with a scanner beats an incident.
13. The domain and email are locked down
Registrar account MFA'd, domain transfer lock on, and SPF/DKIM/DMARC records set so criminals can't send invoices as you. (Email spoofing of small firms is rampant precisely because these three DNS records are so rarely set.)
People & paper (the part that fails first)
14. The team knows the two big scams
Invoice redirection ("we've changed bank details") and urgent-boss messages ("buy vouchers, it's urgent"). One rule kills both: verify payment changes and urgent requests on a second channel - a phone number you already had, not one from the email.
15. A one-page incident plan
Who to call, how to take systems offline, where backups are, and when you must report a breach (72 hours to the ICO under UK GDPR; every US state and most countries have their own notification rules). Write it before you need it - our incident playbook is the long version.
The checklist at a glance
| # | Check | Cost | Baseline area* |
|---|---|---|---|
| 1 | MFA everywhere | Free | Access control |
| 2 | No shared logins | Free | Access control |
| 3 | Same-day leaver removal | Free | Access control |
| 4 | Least privilege | Free | Access control |
| 5 | Password manager | £2-4/user/mo | Access control |
| 6 | Data inventory | Free | - (GDPR) |
| 7 | Collect less | Free | - (GDPR) |
| 8 | Tested backups | Usually incl. | - |
| 9 | No public buckets/links | Free | Secure configuration |
| 10 | Device encryption | Free | Secure configuration |
| 11 | Automatic updates | Free | Security updates |
| 12 | App security basics | Free-££ | Secure configuration |
| 13 | Domain + email records | Free | Secure configuration |
| 14 | Scam awareness | Free | - |
| 15 | Incident plan | Free | - |
*Areas map to the UK's Cyber Essentials scheme; the same controls appear in the CIS Controls (widely used in the US and internationally) and underpin SOC 2 - whichever framework your market asks for, this is the shared foundation.
Frequently asked questions
We're tiny - would anyone really attack us?
Nobody attacks you personally; scanners attack everything. Exposed databases and leaked keys get found in hours regardless of company size or country, and roughly four in ten businesses identify attacks or breaches each year in the UK government's survey - US and Australian studies land in the same range.
Should we get certified (Cyber Essentials, SOC 2, ISO 27001)?
When bigger clients start asking, yes. In the UK that usually means Cyber Essentials (from about £300+VAT); in the US, enterprise buyers typically ask for SOC 2; ISO 27001 is the international heavyweight. Do this checklist first and any of them becomes mostly paperwork.
What should we pay a professional for?
The technical checks (9, 12, 13), a review of the rest, and the documentation - typically 1-3 days (£500-£2,000 / roughly $650-$2,600 at 2026 rates). Do checks 1-5 yourselves this week; they're free and they're the biggest wins.
Keep going
- Run custom or AI-built software? The 12-point launch checklist is the app-level companion to this list.
- Want it done and documented for you? A fixed-scope security review covers all 15 checks with a prioritised report - book a free scoping chat.