Cybersecurity Checklist for MA Businesses
35 essential security measures every Massachusetts business should implement β from basic hygiene to regulatory compliance.
How to use this checklist: Go through each item and check off what you've already implemented. At the end, tally your score. This checklist covers the fundamentals β if you're missing more than a few items, your business may be at serious risk. Massachusetts law (201 CMR 17.00) requires businesses that handle personal information of MA residents to maintain a comprehensive security program.
π Passwords & Authentication (6 items)
- Multi-factor authentication (MFA) enabled on all business email accountsEmail is the #1 attack vector. MFA blocks 99.9% of automated attacks even if passwords are compromised.
- MFA enabled on all cloud services (Microsoft 365, Google Workspace, QuickBooks, etc.)If an attacker gets into your cloud admin panel, they own your entire business. MFA is non-negotiable.
- Business password manager deployed to all employeesPeople reuse passwords. A password manager generates unique, strong passwords for every account β and you can revoke access when someone leaves.
- Minimum password length of 14+ characters enforcedShort passwords can be brute-forced in hours. NIST now recommends length over complexity β a 14-character passphrase is stronger than "P@ssw0rd!"
- Default passwords changed on all hardware (routers, firewalls, printers, cameras)Default credentials are published online. Attackers scan for them automatically. This takes 5 minutes per device.
- Admin accounts separated from daily-use accountsIf your daily email account is also a domain admin, one phishing click gives attackers the keys to the kingdom.
π§ Email Security (5 items)
- SPF, DKIM, and DMARC records configured for your domainThese DNS records prevent attackers from sending emails that appear to come from your domain. Without them, anyone can impersonate your company.
- Advanced email filtering / anti-phishing in placeBuilt-in spam filters miss sophisticated phishing. A dedicated email security layer catches impersonation attempts, malicious links, and weaponized attachments.
- External email warning banner enabledA simple "[EXTERNAL]" tag on emails from outside your organization helps employees spot impersonation attempts.
- Auto-forwarding rules audited and restrictedAttackers set up silent forwarding rules to exfiltrate data. Regular audits catch compromised accounts early.
- Email retention and archival policy documentedYou need to know how long emails are kept, who can access archives, and how to produce them if subpoenaed.
π Network Security (6 items)
- Business-grade firewall with active threat protectionConsumer routers don't inspect traffic. A UTM firewall blocks malicious traffic, prevents data exfiltration, and logs network activity.
- Guest WiFi separated from business networkGuest devices should never be on the same network as your POS system, file server, or printers. VLAN segmentation is essential.
- WiFi using WPA3 or WPA2-Enterprise encryptionWPA2-Personal with a shared password is hackable. WPA3 or enterprise authentication with individual credentials is the standard.
- Remote access secured via VPN or zero-trust solutionRDP exposed to the internet is the #1 ransomware entry point. Always use a VPN or zero-trust access broker.
- DNS filtering enabled across all devicesDNS filtering blocks connections to known malicious domains before they load. It's cheap, effective, and works on every device.
- Network monitoring / intrusion detection activeYou can't defend what you can't see. Monitoring tools alert you to unusual traffic patterns that signal a breach in progress.
πΎ Backup & Recovery (5 items)
- 3-2-1 backup strategy implemented (3 copies, 2 media types, 1 offsite)Ransomware encrypts local and network-attached backups. Without an offsite/cloud copy, you're paying the ransom or starting over.
- Backups tested with actual restore within the last 90 daysUntested backups are SchrΓΆdinger's backups β they might work, they might not. Test quarterly at minimum.
- Immutable / air-gapped backup copy maintainedSophisticated ransomware specifically targets backup systems. Immutable backups can't be modified or deleted, even by an admin.
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) definedHow long can you be down? How much data can you lose? If you don't know these numbers, your backup strategy is guesswork.
- Microsoft 365 / Google Workspace data backed up separatelyMicrosoft's retention policies are not backups. Deleted emails, SharePoint files, and Teams data can be permanently lost. Use a third-party backup.
π₯ Employee Training (4 items)
- Security awareness training conducted at least annuallyHumans are the weakest link. Regular training reduces phishing click rates by 60-70% according to industry studies.
- Simulated phishing tests run quarterlyTraining without testing is like fire drills without surprise drills. Simulated phishing identifies who needs additional coaching.
- Clear acceptable use policy distributed and signedEmployees need to know what's allowed on company devices and networks. This protects them and you.
- Incident reporting procedure known to all staffIf an employee clicks a phishing link at 2 PM but doesn't report it until the next day, attackers have 18 hours head start. Fast reporting saves thousands.
π’ Physical Security (4 items)
- Server room / network closet locked with restricted accessPhysical access = total access. If someone can touch your server, they can steal data, install malware, or simply unplug it.
- Workstation lock policy enforced (auto-lock after 5 min)An unlocked workstation in a shared space is an open invitation. Auto-lock is free and takes seconds to configure.
- Visitor access policy and sign-in procedure in placeTailgating β following an employee through a secure door β is a common social engineering tactic. Visitor logs create accountability.
- Retired hardware securely wiped or destroyed before disposalOld hard drives contain everything: passwords, customer data, financials. A $50 hard drive can cost you $50,000 in breach liability.
βοΈ Compliance β MA 201 CMR 17.00 (5 items)
- Written Information Security Program (WISP) documented and currentMassachusetts law requires every business that handles MA residents' personal information to maintain a written security program. No exceptions.
- Designated security coordinator identified201 CMR 17.00 requires a named individual responsible for your security program. This can be an internal employee or an outsourced provider.
- Inventory of personal information (PI) maintainedYou can't protect what you don't know you have. Catalog where PI is stored, who has access, and how it flows through your organization.
- Encryption used for PI transmitted over public networks and on portable devicesThe regulation specifically requires encryption for personal information sent over the internet or stored on laptops/USB drives.
- Terminated employee access revoked within 24 hours201 CMR 17.00 requires prompt termination of access. Former employees with active credentials are a top breach risk.
π Score Your Security
Count the items you checked off. Be honest β checking a box you haven't actually implemented doesn't make you safer.
| 0 β 10 | Critical Risk. Your business is highly vulnerable. You likely don't meet MA compliance requirements. Prioritize MFA, backups, and a WISP immediately. |
| 11 β 20 | High Risk. You have some basics in place but major gaps remain. Focus on the categories where you scored lowest β those are your attack surface. |
| 21 β 28 | Moderate Risk. Good foundation, but you're still missing important protections. This is where most small businesses land β and where most breaches happen. |
| 29 β 33 | Good. You're ahead of most small businesses. Focus on testing, monitoring, and keeping everything current. Annual reviews are key. |
| 34 β 35 | Excellent. You take security seriously. Make sure you're reviewing and updating quarterly β threats evolve fast. |
