A Cybersecurity Audit Checklist for SMEs

An audit turns vague worry into a plan

Most small and mid-sized businesses know they "should do something about security" but have no clear picture of where they actually stand. A cybersecurity audit replaces that anxiety with a map: here is what we have, here is where we are exposed, here is what to fix first. It does not need to be expensive or drawn out. This checklist walks through the areas that matter most for an SME, in roughly the order an attacker would probe them. Work through it honestly and you will know more about your real risk than most businesses your size.

Know what you are protecting

You cannot secure assets you have not inventoried, so start here. Build a current list of:

• Devices — every laptop, server, phone, and network device that touches company data, including personal devices used for work.
• Accounts and access — who can log into what, and whether any accounts belong to people who have left.
• Data — what sensitive information you hold (customer, financial, employee), where it lives, and who can reach it.
• Cloud services and software — every SaaS tool in use, including the ones individual teams signed up for without telling IT.

This step alone surfaces surprises in almost every audit — a forgotten server, an ex-employee's still-active login, a critical spreadsheet on someone's personal drive.

Check the access controls

Weak access is the most common way SMEs get breached, so scrutinise it closely:

• Is multi-factor authentication enabled everywhere it can be, especially on email, finance systems, and remote access? This is the single highest-value control you can verify.
• Are accounts removed promptly when people leave?
• Does each person have only the access their role needs, or has access accumulated over time?
• Are administrative accounts limited, separated from everyday accounts, and closely watched?

Verify the basics are actually in place

Audits routinely find that protections everyone assumed existed do not. Confirm rather than assume:

• Backups — do they exist, do they cover what matters, and crucially, has a restore actually been tested? An untested backup is a hope, not a safeguard.
• Updates — are operating systems and key software patched, or are machines running versions with known holes?
• Endpoint protection — is it installed, active, and current on every device, not just most of them?
• Encryption — are laptops and sensitive data encrypted so a lost device is not a breach?

Look at the human and response layers

Technology is only part of the picture. Assess whether staff have had any real security awareness training and would recognise a phishing attempt, since people are the most targeted entry point. Then ask the question most SMEs cannot answer: if you were breached tomorrow, what would you do? Knowing who to call, how to isolate affected systems, how to restore from backup, and what your legal obligations are — before an incident — is the difference between a contained event and a chaotic, costly one. A short written incident response plan, even a one-pager, puts you ahead of most of your peers.

Turn findings into a prioritised plan

An audit that produces a list and nothing else is wasted effort. The output should be a ranked remediation plan: fix the critical exposures first (missing MFA, untested backups, unpatched internet-facing systems), then work down through the rest as budget and time allow. Not everything can be fixed at once, and that is fine — what matters is closing the biggest gaps quickly and having a clear, sequenced path through the others rather than a vague intention to "improve security someday."

Do not forget your suppliers and the rules you fall under

Two areas SMEs routinely overlook can undo an otherwise solid audit. The first is third-party risk: the vendors and cloud services you rely on hold or touch your data, and a breach at one of them is your problem too. Take stock of who has access to what, and whether your most important suppliers take security as seriously as you now do. The second is compliance — depending on your sector and the data you handle, you may have legal obligations around how information is protected and what you must do if it is exposed. Knowing which rules apply to you is part of understanding your real risk, not a separate exercise.

• List the external services and vendors that hold or access your data, and review their access.
• Identify any regulations that apply to your business and confirm you can meet their core requirements.
• Revisit both whenever you add a major new supplier or system, since your exposure changes with them.

How BSH can help

BSH Technologies runs practical cybersecurity audits for SMEs across India and beyond — inventorying your assets, testing your controls against a checklist like this one, and handing you a prioritised, plain-language remediation plan rather than a scary report you cannot act on. As part of our managed IT and cybersecurity services, we can also fix what we find. If you are not sure where you stand, an audit is the right first move — and we will make it a useful one.