ETNTech Managed IT Services
About Services Team Reviews Partners Blog Contact (423) 779-8196
Cybersecurity

The Small Business IT Checklist for 2026

May 11, 2026 etntech_admin 16 min read
← Back to Blog

If a ransomware attack hit your business tomorrow, would you know exactly what to do? Most small business owners in Chattanooga would say no, and that’s not because they don’t care about technology. It’s because nobody handed them a clear starting point. This checklist is that starting point. Work through it and you’ll know exactly where your business stands on the eight IT areas that matter most in 2026, and what to fix first.

Running a 15-person accounting firm in East Ridge or a 40-person logistics company in Ooltewah puts you in a strange spot with IT. You’re too big to wing it, but too small to have a full-time IT department. The result is a patchwork of decisions made years ago, some still sound, some quietly dangerous, with no one tracking the big picture.

That’s exactly what this checklist addresses. These eight areas are not abstract IT theory. They’re the specific gaps that put Chattanooga businesses at risk right now, based on what we see every week when we onboard new clients and run IT assessments.

> Key Takeaways
> – Unpatched endpoints remain the #1 ransomware entry point for small businesses, automated patch management closes this gap
> – Cloud backup with tested recovery procedures is the difference between a bad Tuesday and a business-ending event
> – Multi-factor authentication alone blocks over 99% of automated account compromise attacks
> – Email is still how most cyberattacks start; filtering and employee awareness training are not optional
> – Hardware older than five years creates compounding security and productivity risk that often costs more than replacement
> – A managed IT provider typically costs 40–60% less than hiring even one full-time IT employee

1. Endpoint Security and Patch Management

Your endpoints, laptops, desktops, servers, and the phones your employees use for work email, are where most attacks begin. The Verizon Data Breach Investigations Report consistently finds that exploiting known, unpatched vulnerabilities accounts for a large share of successful breaches. “Known” means there was already a fix available. The attacker just got there before anyone applied it.

For a small business, the challenge is not that patches don’t exist, it’s that applying them consistently across every device, without disrupting people’s work, requires a system. Doing it manually once a month doesn’t cut it. The window between a vendor releasing a patch and attackers actively exploiting the vulnerability it fixes has shrunk to days in some cases.

What good endpoint security looks like in 2026:

  • Automated patch management that pushes operating system and software updates without waiting for someone to remember. Tools like NinjaRMM or Microsoft Intune handle this across your whole fleet.
  • Endpoint detection and response (EDR) software, not just traditional antivirus. Products like SentinelOne or Microsoft Defender for Business watch for behavioral anomalies, not just known malware signatures.
  • Centralized visibility, someone (in-house or your IT provider) can see the patch status of every device from a single dashboard, not just the ones that happened to be turned on during maintenance windows.

    • If you’re running Windows 10 machines and haven’t mapped out a timeline for Windows 11 migration, that’s a conversation to have now. Microsoft ends Windows 10 support in October 2025, which means no more security patches for those devices after that date.

    2. Cloud Backup and Disaster Recovery

    Backup is the one area where small businesses most consistently believe they have coverage and are most frequently wrong. “We back up to an external drive” and “our software is in the cloud” are both statements that can leave you completely exposed.

    External drives fail. They also get stolen with the laptop, destroyed in the same fire that takes out the server, or encrypted right alongside your local files by ransomware that spreads across mapped network drives. An external drive that’s always plugged in is not an offsite backup.

    “Our software is in the cloud” means your vendor holds your data. It does not mean you have a copy. Most SaaS applications are clear in their terms of service that they are not your backup provider, they protect their infrastructure, not your account data.

    What a solid backup posture looks like:

  • The 3-2-1 rule: Three copies of your data, on two different types of media, with one copy stored offsite (or in a separate cloud environment). For most small businesses, this means a local NAS device plus a cloud backup service like Axcient or Datto.
  • Automated, daily backups with versioning so you can recover from last Tuesday’s copy, not just last night’s.
  • Tested recovery procedures, at minimum quarterly. If you’ve never successfully restored from your backup, you don’t know if it works. This is the step 95% of small businesses skip.
  • Documented recovery time objectives (RTOs): How long can your business run without access to files? Without email? Without your line-of-business software? Knowing the answer lets you design a backup solution that actually meets your needs.

    • Disaster recovery planning doesn’t need to be a 50-page document. It needs to be something your office manager can execute on a bad morning without calling three different vendors.

    3. Network Security: Firewalls and Wi-Fi Segmentation

    Your office network is the foundation everything else sits on, and a poorly configured network undoes a lot of other security investments. Two areas matter most for small businesses in 2026: having a proper business-grade firewall and segmenting your Wi-Fi.

    The firewall that came bundled with your internet service from EPB or Comcast is designed for homes, not businesses. Business-grade firewalls from vendors like Fortinet, Sophos, or Cisco Meraki inspect traffic at a level that consumer routers simply don’t, including encrypted traffic that would otherwise pass right through.

    Wi-Fi segmentation means running separate wireless networks for different types of devices and users. At minimum, you should have:

  • Employee network: For company computers and phones. This is your protected network, with access controls.
  • Guest network: Completely isolated from your business systems. Vendors, visitors, and personal devices belong here, not on the same network your financial data lives on.
  • IoT/device network: Smart TVs, printers, security cameras, HVAC controllers. These devices often have poor security and no patch cycles. Isolating them limits the damage if one is compromised.

    • If you have a point-of-sale system or handle credit card transactions, PCI DSS compliance technically requires network segmentation anyway. But even if you don’t, this is one of the highest-value changes a small business can make for relatively low cost.

    A network security assessment from a managed IT provider will map your current setup and identify gaps, this is often an eye-opening exercise for businesses that have never had one done.

    4. Password Management and Multi-Factor Authentication

    The math on passwords is not encouraging. People reuse them. They pick predictable patterns. They write them on sticky notes. And when a breach at some other service exposes their credentials, attackers try those same username-and-password combinations everywhere, a technique called credential stuffing.

    Multi-factor authentication (MFA) is the answer, and it’s not complicated. When MFA is enabled, logging into your email, your accounting software, or your Microsoft 365 account requires both your password and a second factor, typically a code from an authenticator app or a push notification to your phone. Microsoft’s own data shows MFA blocks over 99.9% of automated account compromise attacks.

    Every business account that matters should have MFA enabled. That includes:

  • Microsoft 365 / Google Workspace
  • Your banking and payment platforms
  • Your accounting software (QuickBooks, Xero, etc.)
  • Your line-of-business applications
  • Remote access tools like VPNs and Remote Desktop

    • Beyond MFA, a business password manager like 1Password or Bitwarden Teams eliminates the conditions that make bad passwords so common. Employees get strong, unique passwords generated for them and stored securely. When someone leaves, you can revoke their access from one place instead of trying to remember every account they touched.

    These two changes, MFA and a password manager, cost relatively little and close an enormous category of risk.

    5. Email Security: Stopping Phishing Before It Starts

    Most cyberattacks on small businesses still start with an email. A convincing message from what looks like a vendor, a bank, or even a coworker, asking the recipient to click a link or open an attachment. Business email compromise, where attackers impersonate executives to trick employees into wiring money or handing over credentials, cost U. S. businesses $2.9 billion in reported losses in 2023 alone, according to the FBI.

    Basic email security for a small business in 2026 includes:

  • SPF, DKIM, and DMARC records configured for your domain. These are technical email authentication standards that make it much harder for attackers to send emails that appear to come from your domain. If your IT provider or IT-savvy employee hasn’t verified these are set up correctly, that’s a quick win worth checking.
  • Spam and phishing filtering beyond what Microsoft 365 or Google provides out of the box. Solutions like Microsoft Defender for Office 365 Plan 1 or Proofpoint Essentials add an additional layer of inspection.
  • Employee phishing awareness training on a regular schedule, not a one-time onboarding checkbox. Short, monthly simulation exercises through platforms like KnowBe4 or Proofpoint Security Awareness measurably reduce click rates on phishing tests over time.

    • One practical note: phishing emails in 2026 look significantly better than they did five years ago, because AI tools help attackers write more convincing messages faster. The generic “dear valued customer” era is over. Train your staff to verify unexpected requests through a separate channel, a phone call, not a reply email, rather than trusting the message alone.

    6. Managed IT and Helpdesk: When to Stop DIY-ing Your Technology

    There’s a point in every small business’s growth where the person who “handles IT”, whether that’s the owner, the office manager, or the employee who happens to know computers, becomes a bottleneck. Every hour that person spends troubleshooting printers or resetting passwords is an hour they’re not doing their actual job.

    A managed IT provider handles the day-to-day: help desk tickets, device monitoring, patch management, security alerts, backup verification. More importantly, a good provider acts as a virtual IT director, advising on technology decisions before purchases are made, not cleaning up after bad ones.

    For businesses in Chattanooga and surrounding Hamilton County, the cost comparison is straightforward. A full-time IT employee in this market runs $55,000–$75,000 in salary alone, before benefits, training, and vacation coverage. A managed IT agreement for a 20-person company typically runs $2,000–$4,000 per month, and covers far more ground, including after-hours monitoring and vendor escalation paths no single employee can match.

    The right time to evaluate managed IT is before a crisis, not during one. If you’ve experienced a ransomware incident, a data loss event, or an extended outage in the last 18 months, that’s the clearest signal that the current approach isn’t working.

    7. Compliance Basics: What Small Businesses Actually Need to Know

    Compliance is one of those topics that causes eyes to glaze over immediately, so here’s the short version: for most small businesses, there are two compliance areas worth your attention.

    HIPAA applies to any business that handles protected health information. This means dental offices, medical practices, physical therapy clinics, and any business that bills insurance or stores patient records. HIPAA requires documented security policies, encryption, access controls, and breach response procedures. Violations carry real fines, and a data breach without proper controls in place turns a painful IT event into a legal one.

    General data privacy covers customer data. Tennessee’s Information Protection Act (TIPA), effective July 2025, gives Tennessee consumers rights over their personal data and puts obligations on businesses that collect it. If your business collects customer email addresses, payment information, or any personal data, and almost every business does, it’s worth reviewing what you collect, how you store it, and what your data retention and deletion policies look like.

    Neither of these requires a team of lawyers to address. A managed IT provider with compliance experience can handle the technical controls. A conversation with a business attorney handles the policy side. What it does require is that someone actually owns the responsibility.

    8. Hardware Lifecycle and Refresh Planning

    Old hardware creates risk in ways that don’t always show up as obvious failures. A five-year-old laptop running slowly costs your employees productivity every single day. A seven-year-old workstation that can’t run Windows 11 will be out of security patch support by the time you read this. A server that’s past its manufacturer’s warranty period is running without a safety net.

    A hardware lifecycle plan isn’t complicated. It’s a spreadsheet with every device, its purchase date, its expected replacement date (typically 4–5 years for workstations, 5–7 years for servers), and a rough replacement cost. That gives you a predictable annual budget line instead of emergency purchases that blow your budget when something fails.

    In 2026, an AI-ready hardware refresh means ensuring workstations meet the requirements for tools your employees are likely to use, Microsoft Copilot, for example, has specific hardware requirements including a dedicated NPU on Windows machines for local AI processing features.

    Buying hardware reactively, replacing things only when they break, is almost always more expensive than proactive lifecycle planning. An IT provider can help you build this plan and find ways to spread the cost (leasing options, hardware-as-a-service models) that smooth out the budget impact.

    Frequently Asked Questions

    How often should a small business review its IT checklist?
    Annually is the baseline, but the real answer is whenever something significant changes, you add employees, move offices, adopt a new software platform, or experience any kind of security incident. A managed IT provider will typically include a quarterly business review where these areas get checked.

    What’s the highest-priority fix for a small business that’s starting from scratch?
    MFA first, everywhere. It costs almost nothing, takes an afternoon to implement across Microsoft 365 or Google Workspace, and immediately eliminates the biggest category of account compromise. From there, verified cloud backup and endpoint protection are the next priorities.

    Does a small business with fewer than 20 employees really need all of this?
    Attackers don’t sort their target lists by headcount. Ransomware groups use automated tools that find vulnerable systems regardless of company size. In fact, small businesses are often targeted specifically because they’re perceived as having fewer defenses. The controls in this checklist are sized and priced for small businesses, they’re not enterprise tools with enterprise price tags.

    How do I know if my current IT provider is doing a good job?
    You should be able to get a clear answer to: What is our current patch status across all devices? When was the last time we tested our backup recovery? Do we have MFA enabled on all business accounts? If your current provider can’t answer those questions quickly, that’s worth paying attention to.

    What does a managed IT assessment from ETTC involve?
    We review your network, endpoints, backup setup, email security configuration, and current software. We document what we find, prioritize the gaps by risk, and give you a clear picture of where you stand, with no obligation to sign a contract afterward.

    What to Do Next

    If you went through this checklist and found more gaps than you expected, that’s normal, and it’s fixable. The businesses that get hit hardest by ransomware or data loss are the ones that didn’t know what they didn’t know. Now you do.

    ETTC works with small and mid-size businesses throughout Chattanooga, East Ridge, Ooltewah, and Cleveland to build IT environments that are secure, reliable, and right-sized for companies that don’t have, or need, a full in-house IT team. We handle everything on this checklist so your people can focus on the work they were actually hired to do.

    Call us at (423) 779-8196 or schedule a free consultation to get a no-pressure IT assessment for your business. We’ll tell you exactly where you stand.

    East Tennessee Technical Consultants
    📞 (423) 779-8196 | ✉️ Helpdesk@etntech.com | etntech.com