Table of Contents
- IT Operations
- Productivity & Collaboration
- Device Management
- Backup & Disaster Recovery
- Internet & Networking
- Help Desk & ITSM
- VoIP / Phone System
- Cybersecurity
- Email Security
- Endpoint Protection (EDR)
- Identity & Access
- Identity Threat Detection
- Security Awareness
- DNS Filtering
- Dark Web Monitoring
- Vulnerability Management
- SIEM
- The Non-Negotiables
- Cyber Insurance
- Where Do You Stand?
Most small businesses don’t think about IT and security until something breaks. Or worse, until ransomware locks every file on the server and the recovery conversation starts with “how current is your backup?” followed by a long silence.
If you’re running a 20 to 500 person professional services firm — law, accounting, consulting, financial services — this guide is for you. Not the Fortune 500 playbook. Not a watered-down consumer checklist. This is the practical, right-sized stack that keeps your team productive, your data protected, and your cyber insurance carrier satisfied.
We’ve broken it into two sections: IT operations (the foundation) and cybersecurity (the protection layer). Each category includes what to look for, example vendors, and the one thing that matters most — because getting the category right matters less than getting the implementation right.
IT Operations
Productivity & Collaboration Platform
This is the foundation everything else sits on: email, file storage, calendars, video conferencing, and real-time collaboration.
| What to look for | Example vendors |
|---|---|
| Business email with custom domain | Microsoft 365, Google Workspace |
| Cloud file storage and sharing | Microsoft 365 (OneDrive/SharePoint), Google Workspace (Drive) |
| Video conferencing and chat | Microsoft Teams, Zoom, Google Meet |
Most Businesses Get This Wrong
Picking a platform and then bolting on a second one for specific functions. You end up with files in three places, security policies that only cover half your tools, and users who can’t find anything.
Pick one ecosystem and commit. For professional services firms, we see Microsoft 365 Business Premium as the strongest option. Its security, compliance, and identity controls are tightly integrated in ways that matter when you’re handling sensitive client data. Google Workspace is a solid alternative, especially for smaller, cloud-native teams, but its security and compliance tooling requires more third-party layering to reach parity.
Device Management (Endpoint Management)
You need visibility into every laptop, desktop, and mobile device your team uses, especially with remote and hybrid work. Device management tools let you deploy software, push updates, enforce policies, and troubleshoot remotely.
| What to look for | Example vendors |
|---|---|
| Remote monitoring & management (RMM) | NinjaOne, ConnectWise Automate, Datto RMM |
| Mobile device management (MDM) | Microsoft Intune, Jamf (Mac), Kandji |
| Patch management (OS and third-party) | NinjaOne, Automox, ManageEngine |
If You Don't Know How Many Devices Are on Your Network Right Now…
…or which ones are three months behind on patches, you’re already exposed. Unpatched systems are one of the most exploited entry points in every breach report, every year. Automated patching for both OS and third-party applications is table stakes.
Backup & Disaster Recovery
If ransomware hits tomorrow, how fast can you be back up and running? Backup needs to be tested regularly, not just configured and forgotten.
| What to look for | Example vendors |
|---|---|
| Cloud-to-cloud backup (M365, Google) | Datto SaaS Protection, Veeam Backup for M365, Acronis |
| Server/endpoint backup | Datto BCDR, Veeam, Acronis Cyber Protect |
| Offsite/immutable backup copies | Wasabi, Backblaze B2, AWS S3 (with object lock) |
The Mistake We See Constantly
Businesses set up backup once and never test a restore. Then when they actually need it, they discover the backups have been failing silently for months, or that their retention window expired weeks before the incident.
The 3-2-1 rule still holds: three copies of your data, on two different types of media, with one stored offsite. At least one copy must be immutable — can’t be deleted or encrypted by ransomware. Test your restores quarterly.
If you’ve never tested a restore, you don’t have a backup. You have a hope.
Business Internet & Networking
Your network is the highway everything rides on. A consumer-grade router won’t cut it once you have more than a handful of employees.
| What to look for | Example vendors |
|---|---|
| Business-class firewall / router | Fortinet, SonicWall, Ubiquiti (UniFi) |
| Managed Wi-Fi (with VLANs, guest isolation) | Ubiquiti UniFi, Meraki, Aruba |
| Business-grade ISP with SLA | Local fiber providers, Comcast Business, Spectrum Business |
| SD-WAN (multi-location businesses) | Fortinet, Cradlepoint, Meraki |
| DNS management and domain registration | Cloudflare |
This Is Where “It Works Fine” Gets Dangerous
A flat network — where every device can talk to every other device — means a single compromised laptop can reach your file server, your billing system, and your backup appliance. Guest Wi-Fi should be completely isolated from your business network. IoT devices (printers, cameras, smart TVs) belong on their own VLAN. Firewall rules should be reviewed at least annually.
Getting this right requires real network engineering, not just plugging things in.
Help Desk & IT Service Management
Once your team is larger than 20 or 30 people, you need a structured way to track IT requests, manage assets, and document your environment.
| What to look for | Example vendors |
|---|---|
| Ticketing and service desk | HaloPSA, Freshdesk, Zendesk, ConnectWise PSA |
| IT documentation / knowledge base | IT Glue, Hudu, Confluence |
Why Documentation Matters More Than You Think
Every request should be tracked, every resolution documented. Without it, you have no audit trail, no way to identify recurring problems, and no way to onboard new IT support without months of tribal knowledge transfer. Documentation isn’t glamorous, but it’s the difference between a 10-minute fix and a 4-hour guessing game.
VoIP / Business Phone System
Traditional phone lines are expensive and inflexible. Modern cloud-based phone systems give you professional call handling, auto-attendants, and mobile apps at a fraction of the cost.
| What to look for | Example vendors |
|---|---|
| Cloud PBX / VoIP | Microsoft Teams Phone, RingCentral, 8x8, Zoom Phone |
| Contact center (if applicable) | RingCentral, Five9, Talkdesk |
If you’re already on Microsoft 365, Teams Phone is often the most cost-effective option since it integrates with your existing platform. Evaluate call quality and reliability over price alone. Dropped calls cost you clients.
Cybersecurity
Email Security
Email is the number one attack vector for small businesses. Phishing, business email compromise, and credential theft all start in the inbox. For a real-world example of how a phone call turned into a malware infection at a law firm, see our case study.
| What to look for | Example vendors |
|---|---|
| Advanced email filtering / anti-phish | Mimecast, Proofpoint, Ironscales, Avanan |
| DMARC / DKIM / SPF configuration | Built into M365/Google, but must be properly configured |
| Email encryption | Microsoft Purview, Virtru, Zix |
Native Email Filtering Is Not Enough
If you’re relying on native M365 or Google email security alone, you’re exposed. Those built-in filters are designed as a baseline, and modern phishing attacks are specifically engineered to bypass them. Layer a dedicated email security platform on top.
Configure DMARC to enforcement — it prevents attackers from spoofing your domain to trick your clients and vendors. Leaving DMARC at “monitor only” indefinitely is almost as bad as not having it at all.
Endpoint Protection (EDR / Antivirus)
Traditional antivirus is dead. You need endpoint detection and response (EDR) that watches for suspicious behavior, not just known malware signatures.
| What to look for | Example vendors |
|---|---|
| EDR / next-gen antivirus | SentinelOne, CrowdStrike, Microsoft Defender for Business |
| Managed threat detection (MDR) | Huntress, Blackpoint Cyber, Expel |
EDR Without Someone Watching the Alerts Is Security Theater
The tool will detect threats. The question is: who responds at 2 AM on a Saturday? A managed detection and response (MDR) layer means trained analysts are reviewing and acting on threats 24/7. Most businesses under 500 employees don’t have a dedicated security team — which makes MDR the piece that actually matters.
Identity & Access Management
Stolen credentials are behind the majority of breaches. Strong identity controls are non-negotiable.
| What to look for | Example vendors |
|---|---|
| Multi-factor authentication (MFA) | Microsoft Entra ID (built into M365), Duo, Okta |
| Single sign-on (SSO) | Microsoft Entra ID, Okta, JumpCloud |
| Password management | Keeper, 1Password Business, Bitwarden |
| Privileged access management | CyberArk, Delinea, Microsoft PAM |
There Is No Acceptable Reason to Skip MFA in 2026
Enforce it for email, VPN, cloud apps, and any admin access — with no exceptions. Use conditional access policies to block logins from risky locations or unmanaged devices. Eliminate shared credentials entirely; every user gets their own account. Admin accounts should never be used for daily work.
Getting identity wrong is worse than ignoring it, because a false sense of security leads to complacency.
Identity Threat Detection & Response (ITDR)
MFA and conditional access are preventive controls. ITDR is the detection layer that watches for identity-based attacks already in progress: compromised accounts, privilege escalation, lateral movement through your directory, and token theft.
| What to look for | Example vendors |
|---|---|
| Identity threat detection and response | Petra Security, Huntress |
A Newer Category Most SMBs Haven't Heard Of Yet
That’s exactly why it matters. Attackers increasingly target identity infrastructure directly, bypassing endpoint protections entirely. If someone compromises an admin account and starts modifying permissions or forwarding rules, ITDR is what catches it.
Security Awareness Training
People are simultaneously your strongest defense and your softest target. Regular training closes that gap.
| What to look for | Example vendors |
|---|---|
| Phishing simulation and training | KnowBe4, Proofpoint Security Awareness, Huntress SAT |
| Policy acknowledgment tracking | KnowBe4, your HR platform |
Short, Frequent Training Beats Annual Compliance Marathons
Run phishing simulations monthly. Track who clicks and provide targeted follow-up — not punishment. The goal is behavior change, not blame. Firms that commit to this see dramatic drops in click rates within 90 days.
DNS Filtering & Web Security
Block malicious websites before anyone on your team can accidentally visit them.
| What to look for | Example vendors |
|---|---|
| DNS-layer security | Cisco Umbrella, DNSFilter, Cloudflare Gateway |
| Web content filtering | Same vendors; most DNS security tools include content filtering |
Highest Impact, Lowest Effort
This is the highest-impact, lowest-effort security layer most businesses are missing. It takes less than an hour to deploy, costs very little, and catches threats that email filters miss — especially drive-by downloads and malicious redirects. If you implement one thing from this list today, make it this.
Dark Web Monitoring
Compromised credentials from your business end up for sale on dark web marketplaces. Monitoring lets you act before attackers use them.
| What to look for | Example vendors |
|---|---|
| Credential exposure monitoring | Huntress, SpyCloud, ID Agent |
Speed is everything here. When a credential shows up on the dark web, you need to force a password reset immediately — not discover it six months later during an audit.
Vulnerability Management
Regular vulnerability scanning identifies weaknesses in your systems before attackers do.
| What to look for | Example vendors |
|---|---|
| Network and endpoint vulnerability scanning | Qualys, Tenable, Rapid7 |
| External attack surface monitoring | Qualys, CrowdStrike Falcon Surface |
A Scan Without Follow-Through Is Just a To-Do List You're Ignoring
Scan regularly (weekly for critical systems), prioritize by actual exploitability rather than raw CVSS score, and track remediation to closure. The businesses that get breached aren’t usually the ones that never scanned. They’re the ones that scanned, saw the findings, and never acted.
SIEM (Security Information & Event Management)
A SIEM collects and correlates logs from across your environment: firewalls, endpoints, email, identity systems, cloud platforms. It gives you a single place to detect patterns, investigate incidents, and satisfy audit and compliance requirements.
| What to look for | Example vendors |
|---|---|
| Cloud SIEM / log management | Microsoft Sentinel, Blumira, Huntress (integrated SIEM) |
| Managed SIEM | Arctic Wolf, Todyl, Expel |
Do You Need a Standalone SIEM?
Most businesses under 200 employees don’t — but they do need centralized logging and correlation. Many MDR and security platform vendors now bundle SIEM-like capabilities into their offerings, which keeps cost and complexity down. The key question is whether you can reconstruct what happened during an incident after the fact. If the answer is “we’d have to check five different dashboards and hope the logs haven’t rolled over,” you have a gap.
The Non-Negotiables (Start Here)
If you’re starting from scratch or just want to know what to prioritize, this is the baseline every business should have in place:
- 1
Business email and collaboration platform (Microsoft 365 Business Premium or Google Workspace)
- 2
Multi-factor authentication on everything, no exceptions
- 3
Endpoint detection and response (EDR) with managed 24/7 monitoring
- 4
Automated patching for OS and third-party apps
- 5
Email security beyond native filtering
- 6
Backup with at least one immutable, offsite copy — tested quarterly
- 7
Security awareness training with monthly phishing simulations
- 8
Business-class firewall with network segmentation
- 9
DNS filtering
- 10
Password manager for the entire organization
Get these ten right and you’re ahead of the vast majority of businesses your size. Miss three or four and you’re one bad click away from a very expensive week.
A Note on Cyber Insurance
Most cyber insurance carriers now require specific controls before they’ll underwrite a policy — and they will deny claims if those controls weren’t in place at the time of an incident. At minimum, expect carriers to require MFA, EDR, backup with offsite copies, email filtering, and security awareness training.
The checklist above maps directly to what carriers are looking for. If you can’t check every box, your premiums will reflect it. Some carriers won’t write the policy at all.
Where Do You Stand?
Most businesses we talk to are missing 3 to 5 of the controls on this list. Some know it. Most find out the hard way. To understand the scale of threat these controls defend against — including nation-state cyber campaigns targeting U.S. organizations — the stakes are real.
If you’re not sure where your gaps are, we’ll run a quick assessment and show you exactly what’s covered, what’s missing, and what to prioritize first. Learn more about our security services. No cost, no pressure, no sales pitch.
Or reach out directly at hello@dp3tech.com or 312-896-2450.
© 2026 DP3. All rights reserved. This article is provided for informational purposes and does not constitute legal advice or a binding recommendation. Verify all security guidance with your IT provider and legal counsel before implementation.