October is Cybersecurity Awareness Month, and while a calendar observance won't stop an attacker, it's a genuinely useful forcing function. Security work is easy to defer — there's always something more urgent this quarter. A dedicated month gives you permission to stop deferring and actually close out the basics.

The good news for small and mid-sized businesses is that most successful attacks don't rely on exotic techniques. They exploit the fundamentals that never got finished: MFA that isn't everywhere, backups nobody has tested, accounts that should have been disabled months ago. The checklist below is not theoretical. Each item is something a determined SMB can realistically stand up this quarter.

The 10-Point Checklist

1. Enforce MFA everywhere

Multi-factor authentication is the highest-value control on this list. Turn it on for email, remote access, financial systems, and administrator accounts without exception. Prioritize app-based or phishing-resistant methods over SMS codes where you can.

2. Put EDR on every endpoint

Traditional antivirus catches known threats; endpoint detection and response (EDR) watches for suspicious behavior and can isolate a compromised device before an attacker spreads. Make sure it's installed and reporting on every laptop, desktop, and server — not just some of them.

3. Patch on a defined schedule

Unpatched software is one of the most common entry points. Establish a regular cadence for operating systems, applications, and firmware, and track that critical vulnerabilities get remediated quickly rather than whenever someone gets to it.

4. Keep tested backups, including an offline or immutable copy

Backups are your last line of defense against ransomware, but only if they work. Follow a 3-2-1 approach and keep at least one copy that's offline or immutable so it can't be encrypted along with everything else. Then confirm you can actually restore from it.

5. Run security awareness training and phishing simulations

People are targeted constantly, and a trained team is a strong layer of defense. Short, regular training paired with realistic phishing simulations helps employees recognize and report suspicious messages instead of clicking them.

6. Apply least privilege and remove stale accounts

Give users only the access their role requires, and review those permissions periodically. Just as important, disable accounts for former employees and contractors promptly — dormant accounts are a favorite foothold for attackers.

7. Secure email with filtering and DMARC

Email remains the primary delivery method for phishing and malware. Strong spam and malware filtering blocks much of it, and email authentication records such as SPF, DKIM, and DMARC make it harder for attackers to spoof your domain against your own customers.

8. Write an incident response plan with clear roles

Decide in advance who does what when something goes wrong — who declares an incident, who contacts leadership, who handles communications, and who to call for outside help. A one-page plan you've actually reviewed beats a perfect plan that lives only in someone's head.

9. Maintain an inventory of assets and data

You can't protect what you don't know you have. Keep a current list of devices, applications, and cloud services, and understand where sensitive data lives. This inventory underpins nearly every other control on this list.

10. Review vendor and third-party access

Your security is only as strong as the partners connected to your systems. Review which vendors have access, confirm that access is still needed and appropriately limited, and remove any connections that are no longer in use.


If You Can Only Do a Few

Don't let the length of the list become a reason to do nothing. If you can only tackle a handful this month, start with the items that cut the most risk for the least effort: enforce MFA everywhere, confirm your backups actually restore, and get EDR onto every endpoint. Those three alone dramatically reduce your exposure to the most common and most damaging attacks.

From there, work down the list at a sustainable pace. The goal isn't a perfect security program by November 1 — it's steady, real progress that leaves you meaningfully harder to compromise than you were in September.

Ready to Move From Reactive to Proactive?

Plexus helps organizations transition from reactive, break-fix IT to a managed model with real monitoring, defined SLAs, and accountability to outcomes. Schedule a complimentary discovery session — we'll review your current environment and give you an honest picture of where the exposure is.

Schedule Free Discovery