Most cybersecurity advice for small business is either too vague ("use strong passwords") or written for enterprises with a security team. This is neither. It's a practical, self-assessable checklist built for a New Zealand SME in 2026 — every item is something you can verify a yes/no answer to, and the whole thing is mapped to what cyber insurers now demand and what the Privacy Act 2020 expects of you.
Work through it honestly. Tick what you genuinely have in place, flag what you don't, and use the scoring guide at the end to see where you stand. If you'd rather have someone run it with you, that's what our managed security reviews do — but you can get a long way on your own with the list below.
How to Use This Checklist
Each item is a control. Mark it Yes only if it's true for your whole business, not just some staff or one device. "Mostly" counts as No — attackers find the gap, and insurers ask for the whole picture. There are 40 checks across eight domains.
1. Identity & Access (the front door)
Stolen or guessed logins are the single most common way NZ businesses get breached. Lock the door first.
- ☐ MFA is enforced on every Microsoft 365 / Google Workspace account — not optional, enforced.
- ☐ MFA uses an app or hardware key, not SMS, for admin and finance staff.
- ☐ Admin accounts are separate from daily-use accounts (no doing email from a global admin login).
- ☐ You have 2–3 global admins, not 8 — and you know exactly who they are.
- ☐ Ex-staff accounts are disabled the day they leave, with a documented offboarding step.
- ☐ No shared logins for critical systems (each person has their own).
- ☐ A password manager is in use so staff aren't reusing passwords across sites.
2. Devices & Endpoints
Every laptop, desktop, and phone is a way in. They need active protection, not just the free built-in defaults.
- ☐ Modern EDR runs on 100% of computers (Defender for Business, CrowdStrike, SentinelOne, Sophos), centrally managed — not stand-alone free antivirus.
- ☐ Alerts go to someone who actually responds, not an unmonitored inbox.
- ☐ Disk encryption is on (BitLocker / FileVault) for every laptop that leaves the office.
- ☐ Devices auto-lock after a few minutes idle and require a PIN/password/biometric.
- ☐ Phones with work email have a screen lock and can be remotely wiped.
- ☐ No unsupported operating systems (Windows 10 is end-of-support — anything still on it is a live risk).
3. Patching & Updates
Most successful attacks exploit a known bug that a patch already exists for. Speed matters.
- ☐ Windows / macOS updates are centrally managed, not left to each user to click "later".
- ☐ Critical security patches are applied within 30 days (faster for actively-exploited ones).
- ☐ Browsers and third-party apps update too (Chrome, Adobe, Zoom — not just the OS).
- ☐ Firmware on your firewall/router is current and the device isn't past end-of-life.
- ☐ You have an asset inventory so you know what needs patching in the first place.
4. Backups & Recovery
Backups are what turn a ransomware disaster into an inconvenience — but only if they're independent and tested.
- ☐ Microsoft 365 / Google Workspace is backed up by a third party (a separate vendor — native "retention" is not a backup).
- ☐ Backups are immutable — an attacker who gets in can't delete them.
- ☐ You've done a successful test restore in the last 12 months and know it works.
- ☐ Critical servers and line-of-business data are backed up, not just email and files.
- ☐ You know your RTO/RPO — how long recovery takes and how much data you'd lose. Even a rough answer beats none.
5. Email & Fraud Prevention
Business email compromise and invoice/bank-change fraud is the #1 way NZ SMEs lose actual money. Technical filters plus a human process both matter.
- ☐ Advanced email filtering is on (Defender for Office 365, Mimecast, Proofpoint) — beyond the default filter.
- ☐ SPF, DKIM and DMARC are configured on your sending domain (DMARC at quarantine or reject).
- ☐ There is a written process for bank-detail changes — a "supplier" emailing new account details triggers a phone-call verification to a known number, every time.
- ☐ Staff know how to report a suspicious email and it's frictionless (a button or a known address).
- ☐ External emails are visibly tagged so a spoofed "internal" message stands out.
6. People & Awareness
Your team is either your weakest link or your best sensor. Training decides which.
- ☐ Phishing simulations run at least quarterly, with click rates tracked over time.
- ☐ New staff get security basics during onboarding, not a year later.
- ☐ There's a short, written acceptable-use / AI-use policy (what can and can't be pasted into ChatGPT and friends).
- ☐ Staff know who to call the moment something looks wrong — no fear of "getting in trouble" for reporting.
7. Network & Cloud Configuration
The settings you configured once and forgot are where trouble hides.
- ☐ Guest Wi-Fi is separate from the business network.
- ☐ Remote access is via MFA-protected VPN or a modern zero-trust tool, not RDP exposed to the internet.
- ☐ Default admin passwords on routers, firewalls, NAS and printers are changed.
- ☐ Microsoft 365 / Google security defaults or Conditional Access are configured (not left wide open).
- ☐ Audit logging is turned on so you can investigate if something happens.
8. Governance, Response & Compliance
When (not if) something happens, a plan and a few obligations decide how bad it gets.
- ☐ You have a written incident response plan — named roles, contacts, and first steps.
- ☐ You've done one tabletop walkthrough of it in the last year.
- ☐ You know your Privacy Act 2020 duty: a privacy breach that causes serious harm must be reported to the Privacy Commissioner and affected people as soon as practicable.
- ☐ You know how to report to CERT NZ (the national body for reporting cyber incidents).
- ☐ You have cyber insurance, and you can actually meet the controls it requires (see our cyber insurance guide).
- ☐ Your IT is not a single-person dependency — documentation and access aren't locked in one person's head (more on that in our in-house vs outsourced IT guide).
- ☐ You assess your key vendors' security — your IT provider, accounting software, cloud services.
Score Yourself
Count your Yes answers out of 40:
- 35–40 — Strong. You're ahead of most NZ SMEs and in good shape for insurance renewal. Keep testing (backups, phishing, the IR plan) so it stays real.
- 25–34 — Reasonable, with real gaps. You have the basics but likely have holes in backups, response, or fraud process — exactly where losses happen. Prioritise the No's in sections 4, 5 and 8.
- 15–24 — Exposed. Enough is missing that a single phishing email or lost laptop could become a serious event. Start with identity (section 1) and backups (section 4) this month.
- Under 15 — Urgent. You're carrying risk that could end the business and probably wouldn't pass an insurance questionnaire. This is worth a professional review now, not next quarter.
Frequently Asked Questions
What are the most important cybersecurity controls for a small business?
If you do only four things: enforce MFA on every account, run managed EDR on every device, keep an independent tested backup of Microsoft 365 or Google Workspace, and put a phone-verification process around any change of supplier bank details. Those four block the large majority of real-world NZ SME incidents and losses.
Does a small NZ business really need all this?
The technical baseline is now effectively mandatory, not optional — cyber insurers require it to quote, and the Privacy Act 2020 holds you responsible for protecting personal information you hold. Attackers automate and don't skip you for being small; being small just means you have less capacity to absorb the hit.
What does the Privacy Act 2020 require for security?
It requires you to protect the personal information you hold with reasonable safeguards, and to notify the Privacy Commissioner and affected individuals of any privacy breach that has caused, or is likely to cause, serious harm — as soon as practicable. The controls in this checklist are how you demonstrate "reasonable safeguards".
How much does it cost to close these gaps?
For a typical NZ SME, the security tooling and management to satisfy this checklist runs roughly $50–$80 +GST per user per month (EDR, backup, patching, training, monitoring). That's usually at or below the cost of a loaded insurance premium or a single fraud loss — the cheapest insurance you'll buy.
Who do I report a cyber incident to in NZ?
Report cyber incidents to CERT NZ. If personal information was involved and serious harm is likely, you also have a notification duty to the Office of the Privacy Commissioner and to the affected people. If money was transferred, contact your bank immediately — fast action sometimes recovers funds.
Turning the List Into Action
A checklist only helps if the No's become Yes's. The fastest path for most businesses is to fix the highest-impact gaps first — identity, backups, and the bank-change process — then work steadily through the rest. If you'd like a hand, Tryzee runs security reviews for businesses across Matamata, the Waikato, and the Bay of Plenty: we go through this exact list with you, prioritise the gaps, and give you a plain-English plan. Get in touch for a no-obligation conversation — even if the outcome is simply a clearer picture of where you stand.