Toolkit
Audit Like a Pro: A DIY Cybersecurity Checklist for the SMBs Budget
Most formal cybersecurity audits cost thousands of dollars and result in a 100-page PDF that small business owners never read. However, for SMBs , you can conduct a highly effective self-assessment using free tools and a few hours of focused work. You don't…
By SecureBusinessHub Editorial, International cybersecurity desk — · 7 min read
1. The external perimeter check
Start with what the internet can see. Use a free service like Shodan or Censys to search for your company's IP addresses. Are there open ports, like RDP or database ports, that shouldn't be exposed? Most attackers start with exactly this kind of scan. If you find open ports that shouldn't be public, close them.
Think of it as checking your building at night to see which windows are unlocked.
Leveraging OSINT
OSINT means using publicly available information the same way an attacker would. Search for leaked credentials, company documents, or employee data already available on the dark web or public code repositories like GitHub. Have I Been Pwned offers domain-level searches for free. TheHarvester can show you what's publicly associated with your company. Understanding what an attacker already has before they act is useful.
2. The identity audit
Open your admin panels for Microsoft 365, Google Workspace, and your main SaaS tools. Look for zombie accounts belonging to former employees or contractors that were never deactivated. These are often unmonitored and make attractive targets.
3. Vulnerability scanning
Open-source tools like OpenVAS or Nmap let you scan your internal network for outdated systems. If you're running Windows 10 versions from 2022, those have known unpatched vulnerabilities that attackers actively exploit.
4. The culture test
Walk around your office (or hold a remote security drill). Can you spot passwords written on sticky notes? Would a random employee click a link in a mock phishing email? You can use free tools like Gophish to run this. Auditing your people reveals as much as auditing your servers.
5. Using compliance frameworks as a checklist
You don't need to pursue ISO 27001 or SOC2 certification to use their control lists. For most SMBs, the CIS Critical Security Controls v8 or the NIST Cybersecurity Framework give you a prioritized checklist. The first five CIS controls cover roughly 80% of practical defensive value.
6. Review your backups
A backup you've never tested is not a backup. Spend an hour trying to restore a single file from your most critical system. If it takes more than four hours to find and restore one file, your disaster recovery plan has a problem. Test before you need it.