Cybersecurity checklist for SMEs 2026: 10 essential measures
The 10 minimum cybersecurity controls for any SME or administration with fewer than 100 workstations. Pragmatic approach with controlled budget.
Ransomware attacks now affect SMEs as much as large corporations. This checklist covers the 10 measures that drastically reduce risk without oversizing your IT infrastructure.
1. MFA everywhere on cloud identities
Microsoft 365, Google Workspace, GitHub, Slack — enabling two-factor authentication is free and blocks 99% of account compromises. No excuse in 2026.
2. EDR on all endpoints
Microsoft Defender for Business (~€2.70/month/workstation) or equivalent. Behavioral detection, not just signature-based antivirus.
3. 3-2-1 backup with immutability
3 copies, 2 different media, 1 offsite. Immutability (Veeam, Synology Snapshot, etc.) to resist ransomware that targets backups themselves.
4. Monthly patch management
Windows Update, browsers, business applications. An unpatched vulnerability >30 days old is an entry point. Tools: Intune, WSUS, or simple PowerShell script.
5. Next-generation firewall with filtering
FortiGate, Stormshield or equivalent — IPS, URL filtering, gateway antivirus. Blocks C2 (command & control) communications from malware.
6. Network segmentation
Dedicated VLANs: guests, IoT, corporate. A compromised workstation must not be able to scan the entire infrastructure.
7. Written and tested incident procedure
What to do in case of compromise? Who to call? How to isolate? Short document (1–2 pages) + annual simulation.
8. User training (anti-phishing)
30 minutes per year minimum. Simulated phishing tests to measure maturity.
9. Hardware and software inventory
You cannot protect what you don't know about. A spreadsheet or GLPI is enough for SMEs.
10. Annual external audit
An outside perspective finds blind spots. Cost: €2,000 to €5,000 for SMEs, immediate ROI.
Conclusion
None of these measures is complex. Total annual cost for a 20-workstation SME: €3,000 to €8,000. Compare this to the cost of a successful attack (€50,000 to several hundred thousand).
SME Cybersecurity 2026 — essential guide
NIS2, 3-2-1 backup, MFA, EDR, 90-day action plan.
An IT/ICT or export project to discuss?
Let's talk about your concrete needs. Reply within 24/48 business hours.
Request a quote