The Complete IT Security Assessment Checklist for Mid-Size Businesses

Download the PDF version of this checklist to use as a reference during your own security review.

---

If you’re running a business with 30 to 200 employees, you’re in a tough spot when it comes to cybersecurity. You’re big enough to be a real target but probably don’t have a dedicated security team to deal with it. The good news is that you don’t need a Fortune 500 budget to get your security right. You need a clear picture of where you stand and a plan to close the gaps.

This checklist is what we use internally at eTop Technology when we onboard new clients and run annual security reviews. It’s organized by category, and each item is something you can evaluate without deep technical expertise. If you can’t confidently say “yes” to an item, that’s a gap worth investigating.

1. Identity and Access Management

Access controls are the foundation of your security posture. If the wrong people can get to the wrong data, nothing else matters.

• Multi-factor authentication (MFA) is enabled on all business email accounts
• MFA is enabled on all cloud applications that support it (Microsoft 365, Google Workspace, CRM, accounting software)
• VPN or remote access connections require MFA
• Administrative accounts use separate credentials from daily-use accounts
• Former employees are deprovisioned within 24 hours of departure
• User access is reviewed quarterly to ensure least-privilege principles
• Password policies require a minimum of 14 characters
• Shared accounts and generic logins have been eliminated
• Privileged access (admin rights) is limited to personnel who genuinely need it
• Single sign-on (SSO) is implemented where possible to reduce credential sprawl

Why it matters: Compromised credentials are involved in over 80% of data breaches. MFA alone blocks 99.9% of automated attacks. If you do nothing else on this list, get MFA deployed everywhere.

2. Endpoint Security

Every laptop, desktop, and mobile device that connects to your network is a potential entry point for attackers.

• All workstations and laptops run Endpoint Detection and Response (EDR), not just basic antivirus
• EDR is centrally managed with alerts going to a monitored dashboard
• Operating systems are patched within 14 days of critical security updates
• Third-party applications (browsers, PDF readers, Java) are patched regularly
• Full disk encryption is enabled on all laptops and mobile devices
• USB storage devices are restricted or disabled via policy
• Mobile device management (MDM) is in place for phones and tablets that access company data
• Auto-lock is configured on all devices (5 minutes or less)
• Local admin rights are removed from standard user accounts

Why it matters: Endpoints are where attacks land. EDR catches the threats that antivirus misses by monitoring behavior patterns, not just known signatures. Encryption means a stolen laptop doesn’t become a data breach.

3. Email Security

Email remains the number one attack vector. If your email security is weak, the rest barely matters.

• Advanced threat protection scans attachments and links before delivery
• Impersonation protection is configured for executives and key personnel
• DMARC, DKIM, and SPF records are properly configured on your domain
• External email tagging (banner warnings) is enabled for emails from outside the organization
• Automatic forwarding to external addresses is disabled or restricted
• Email retention and archiving policies are in place
• Users receive regular phishing simulation tests
• Phishing click rates are tracked and users who click receive additional training

Why it matters: Over 90% of successful cyberattacks start with a phishing email. Your email security configuration is the difference between an attack that gets caught and one that compromises your entire network.

4. Network Security

Your network is the highway that connects everything. If it’s not properly segmented and monitored, a single compromised device can lead to a full-network breach.

• Firewall is enterprise-grade with active threat intelligence subscriptions
• Firewall rules are reviewed at least annually
• Network is segmented (servers, workstations, guest Wi-Fi, IoT on separate VLANs)
• Guest Wi-Fi is isolated from the corporate network
• DNS filtering blocks known malicious domains
• Remote access uses a modern VPN or zero-trust network access (ZTNA) solution
• Wireless networks use WPA3 or WPA2-Enterprise authentication
• Network traffic is monitored for anomalous behavior
• Intrusion detection or prevention system (IDS/IPS) is active

Why it matters: Network segmentation is what prevents a ransomware infection on one workstation from spreading to your file server, backups, and every other system on the network. Without it, one compromised device can take down everything.

5. Data Backup and Recovery

Backups are your last line of defense against ransomware and data loss. But only if they actually work.

• All critical data is backed up at least daily
• Backups follow the 3-2-1 rule: 3 copies, 2 different media types, 1 offsite
• At least one backup copy is immutable (cannot be modified or deleted by ransomware)
• Backup integrity is verified automatically
• Full restore tests are performed at least quarterly
• Recovery time objectives (RTO) are defined and achievable
• Recovery point objectives (RPO) are defined and acceptable to the business
• Backup encryption is enabled for data at rest and in transit
• Backup access is restricted to authorized personnel only

Why it matters: We’ve seen businesses that thought they had backups discover during a crisis that their backups had been failing for weeks. Regular testing is the only way to know for sure. Immutable backups are what save you when ransomware tries to encrypt your backup data along with everything else.

6. Security Awareness and Training

Your employees are the last line of defense, and often the first point of failure. Training turns them from a vulnerability into an asset.

• All employees complete security awareness training during onboarding
• Ongoing training is conducted at least quarterly
• Training covers phishing, social engineering, password hygiene, and data handling
• Phishing simulations are conducted monthly
• Simulation results are tracked and used to target additional training
• Employees know how to report suspicious emails and activity
• There is a clear, no-blame policy for reporting potential security incidents

Why it matters: Even with perfect technical controls, a well-crafted phishing email can trick someone into handing over credentials or installing malware. Regular training and simulations reduce click rates dramatically. The no-blame reporting policy is critical because you want people to speak up immediately, not hide a mistake out of fear.

7. Policies and Documentation

If it’s not written down, it doesn’t exist from a compliance and audit perspective.

• Information security policy exists and is reviewed annually
• Acceptable use policy covers employee technology use
• Incident response plan is documented and has been rehearsed in the past year
• Business continuity and disaster recovery plans are documented
• Data classification policy defines how different types of data should be handled
• Vendor management policy addresses third-party security requirements
• All policies are accessible to employees and acknowledged in writing

Why it matters: Documentation isn’t just about compliance. It’s about making sure everyone knows the rules and there’s no ambiguity when an incident happens. The incident response plan in particular needs to be rehearsed, not just written.

8. Compliance and Regulatory

Depending on your industry, you may have specific regulatory obligations. Even if you don’t think you do, it’s worth checking.

• You’ve identified which regulations apply to your business (FTC Safeguards, HIPAA, CMMC, PCI-DSS, state privacy laws)
• A designated individual is responsible for your information security program
• Risk assessments are conducted at least annually
• Penetration testing or vulnerability assessments are performed annually
• Cyber insurance policy is in place and covers ransomware, business interruption, and regulatory fines
• Insurance requirements are aligned with your actual security controls

Why it matters: Regulatory fines are increasing, and cyber insurance carriers are getting pickier about what they’ll cover. If your security controls don’t match what you told your insurer, a claim could be denied.

How to Use This Checklist

Don’t try to fix everything at once. Here’s a practical approach:

1. Score yourself honestly. Go through each item and mark it yes, no, or partial.
2. Identify the critical gaps. MFA, EDR, and backups are the big three. If any of those are missing, start there.
3. Build a 90-day plan. Pick the highest-impact items and commit to addressing them in the next quarter.
4. Get outside eyes. An internal review is a great start, but an external assessment will catch things you missed.

If you’d like help running through this assessment for your specific environment, we do this for businesses across the Inland Empire every week. It takes a couple of hours and you’ll walk away with a prioritized action plan. No cost, no obligation.

Download the PDF checklist and share it with your team.