
This is the checklist we’ll be running with clients heading into 2026 — short enough to print, complete enough to matter. If every box below is honestly checked, your business is ahead of the vast majority of SMBs. Whatever’s left unchecked is your January priority list, in order.
Two ground rules make this useful rather than decorative. First, every box gets a name and a date — “done” means someone owns it and you know when it was last verified. Second, score honestly: a control that exists but has never been tested counts as half a box at best. Tape the printed copy inside the server closet door, or wherever your team will actually see it.
Identity and access
Most breaches still start with a stolen or phished credential, so this section carries the most weight on the page.
- MFA on every account — email, VPN, finance, remote access, admin. No exceptions for executives; they’re the most-targeted people in the company.
- Phishing-resistant MFA for admins — passkeys or hardware keys, because attackers now routinely phish one-time codes in real time.
- A business password manager deployed to everyone, with shared logins eliminated or vaulted.
- Same-day offboarding — a written checklist that cuts all access before the exit interview ends.
- Quarterly access reviews — who can reach what, and who no longer should.
Devices, patching and email
These controls blunt the everyday attacks — the commodity malware and mass phishing that hit every business regardless of size.
- EDR on every endpoint. Traditional antivirus alone stopped being adequate years ago.
- Automatic patching with reporting — for operating systems and the apps attackers love: browsers, PDF readers, remote-access tools.
- Zero unsupported operating systems. Windows 10 support ended in October; anything still on it needs ESU or a replacement date.
- Full-disk encryption on every laptop. A lost laptop should be a hardware cost, not a reportable breach.
- DMARC at enforcement, with SPF and DKIM aligned, so criminals can’t send email as your domain.
Backups and recovery
When prevention fails, recovery is the whole game — and it only counts if it works under a stopwatch.
- 3-2-1 backups with one immutable copy that ransomware can’t encrypt and a stolen admin credential can’t delete.
- Microsoft 365 or Google Workspace backed up separately. The cloud replicates your mistakes; it doesn’t undo them.
- A quarterly timed restore test with the result written down. That number is your real recovery time.
- A printed incident response plan — who to call, in what order, with phone numbers that work when email doesn’t.
- Cyber insurance answers that match reality. Claims get denied over questionnaire answers that weren’t true.
People and process
Technology catches most of it; people and process cover the rest.
- Awareness training that covers 2026 threats — AI-written phishing, deepfake voice calls, QR-code lures — not just last decade’s typo-spotting.
- Quarterly phishing simulations, used for coaching rather than shaming.
- An AI usage policy that names approved tools and draws bright lines around client data.
- A vendor access list — every third party holding a login to your systems, reviewed twice a year.
- Someone watching, always. A 2 a.m. alert needs a human response — in-house or through a partner whose engineers monitor around the clock.
If you’re starting from a low score, don’t try to fix everything in January. Take the first unchecked item in each section — four items in total — and finish those in the first quarter. That sequence covers the most common attack paths first, and it builds the habit of closing loops instead of opening projects.
Key takeaways
- Identity controls come first; most attacks still start with a credential.
- EDR, patching and DMARC close the doors attackers try every day.
- Backups only count if one copy is immutable and restores are timed.
- Train people for AI-era phishing, and put your AI rules in writing.
A checklist tells you what should be true; a test tells you what is. Book a penetration test and find out which boxes actually hold.
Turn insight into action.
Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.



