Cybersecurity checklist for SMEs 2026: 10 essential measures

Ransomware attacks now affect SMEs as much as large corporations. This checklist covers the 10 measures that drastically reduce risk without oversizing your IT infrastructure.

1. MFA everywhere on cloud identities

Microsoft 365, Google Workspace, GitHub, Slack — enabling two-factor authentication is free and blocks 99% of account compromises. No excuse in 2026.

2. EDR on all endpoints

Microsoft Defender for Business (~€2.70/month/workstation) or equivalent. Behavioral detection, not just signature-based antivirus.

3. 3-2-1 backup with immutability

3 copies, 2 different media, 1 offsite. Immutability (Veeam, Synology Snapshot, etc.) to resist ransomware that targets backups themselves.

4. Monthly patch management

Windows Update, browsers, business applications. An unpatched vulnerability >30 days old is an entry point. Tools: Intune, WSUS, or simple PowerShell script.

5. Next-generation firewall with filtering

FortiGate, Stormshield or equivalent — IPS, URL filtering, gateway antivirus. Blocks C2 (command & control) communications from malware.

6. Network segmentation

Dedicated VLANs: guests, IoT, corporate. A compromised workstation must not be able to scan the entire infrastructure.

7. Written and tested incident procedure

What to do in case of compromise? Who to call? How to isolate? Short document (1–2 pages) + annual simulation.

8. User training (anti-phishing)

30 minutes per year minimum. Simulated phishing tests to measure maturity.

9. Hardware and software inventory

You cannot protect what you don't know about. A spreadsheet or GLPI is enough for SMEs.

10. Annual external audit

An outside perspective finds blind spots. Cost: €2,000 to €5,000 for SMEs, immediate ROI.

Conclusion

None of these measures is complex. Total annual cost for a 20-workstation SME: €3,000 to €8,000. Compare this to the cost of a successful attack (€50,000 to several hundred thousand).