Cybersecurity Resources

Cybersecurity Checklist for Ohio SMBs: 20 Controls Every Business Needs in 2026

This checklist covers the 20 cybersecurity controls that matter most for Ohio small and mid-size businesses in 2026. These are the controls that prevent the most common attacks, satisfy cyber insurance requirements, qualify for Ohio Safe Harbor protection, and form the foundation of NIST CSF 2.0 and CIS Controls compliance. Use this as a starting point for your own program assessment.

Quick Answer

The essential cybersecurity controls for Ohio SMBs in 2026 are: MFA enforcement on all accounts, tested and verified backups, endpoint protection with EDR, email security with BEC detection, patch management, a documented and tested incident response plan, employee security awareness training, network segmentation, privileged access management, and a written cybersecurity policy aligned to NIST CSF 2.0 or CIS Controls for Ohio Safe Harbor eligibility.

Identity and Access Controls

☑ Multi-Factor Authentication (MFA) enforced on all accounts
MFA must be enforced — not just enabled. Enforcement means no account can authenticate without MFA, regardless of location or device. Exemptions create the gaps attackers exploit. Required by virtually all cyber insurance carriers.

☑ Privileged Access Management (PAM)
Administrator accounts should be separate from daily-use accounts. No one should browse the web or read email with domain administrator credentials. Privileged access should be time-limited and logged.

☑ Password manager deployed across all staff
Eliminate password reuse by providing and requiring a business password manager. Set minimum password length of 16 characters for all accounts. Audit for compromised credentials via dark web monitoring.

☑ Offboarding process documented and tested
Former employee accounts are one of the most common breach vectors. Your offboarding process must include: immediate account disablement, MFA device removal, access revocation from all SaaS applications, and password rotation for shared accounts the employee had access to.

Endpoint and Network Protection

☑ Zero Trust Application Control or EDR on all endpoints
Antivirus alone is insufficient. Zero Trust Application Control (default-deny) is the strongest protection. EDR (Endpoint Detection and Response) is the minimum acceptable endpoint security for organizations with cyber insurance requirements.

☑ Patch management — OS and third-party applications
Critical patches must be applied within 30 days. Zero-day patches within 7 days. Patch status should be monitored and reported monthly. Third-party applications (browsers, Adobe, Java, Zoom, etc.) are as important as Windows patches.

☑ DNS filtering deployed
DNS filtering blocks access to malicious domains at the network layer before a browser or application can connect. Simple, effective, and low-cost. Should block: known malware command-and-control domains, phishing sites, and content categories inappropriate for business use.

☑ Network segmentation — guest Wi-Fi isolated
Guest Wi-Fi and IoT devices must be on a separate network segment from business systems. A visitor or compromised IoT device should not have network-layer access to your file servers or business applications.

Data Protection and Recovery

☑ Backups following the 3-2-1 rule
3 copies of data, on 2 different media types, with 1 copy offsite (cloud or physical). Backup jobs must be monitored daily. Failures must be alerted and remediated within 24 hours.

☑ Backup restoration tested quarterly
Untested backups have a 30-50% failure rate when needed. Full restoration tests should be conducted quarterly. Document the recovery time and compare to your RTO target. Insurance carriers increasingly require proof of tested backups.

☑ Microsoft 365 or Google Workspace backed up separately
Microsoft and Google do not guarantee long-term data retention. Deleted items, ransomware-encrypted files, and accidental deletions beyond the native retention window require a separate backup solution.

☑ Sensitive data inventory documented
You cannot protect what you have not identified. Document where personal information (PII, PHI, financial data) is stored, who has access, and what controls protect it. Required for HIPAA, GLBA, and Ohio Safe Harbor.

Compliance and Policy Controls

☑ Written cybersecurity policy aligned to NIST CSF 2.0 or CIS Controls
A written, implemented policy is required for Ohio Safe Harbor. The policy must address: acceptable use, data classification, access control, incident response, vendor management, and employee responsibilities. Policies must be reviewed annually.

☑ Documented and tested incident response plan (IRP)
Required for cyber insurance, HIPAA, CMMC, and Ohio Safe Harbor. Must include: roles and responsibilities, notification procedures (including the 45-day Ohio breach notification requirement), evidence preservation steps, and escalation paths. Must be tested annually via tabletop exercise.

☑ Security awareness training — all staff, annually
Annual security awareness training with phishing simulation is required by most cyber insurance carriers and compliance frameworks. Training should cover: phishing recognition, password security, social engineering, BEC, and your specific incident reporting procedures.

☑ Vendor and third-party risk assessment
Require security questionnaires from vendors who access your data or systems. Review their SOC 2 reports, certifications, or security policies annually. Critical vendors should have Business Associate Agreements (BAA) in place if they handle PHI.

Frequently Asked Questions

Ohio Safe Harbor requires a written cybersecurity program that reasonably conforms to a recognized framework. NIST CSF 2.0 and CIS Controls are both qualifying frameworks. Implementing the 20 controls above — with documentation — provides strong Safe Harbor eligibility. Securafy's Comply-CARE builds and maintains this documentation as a core deliverable.

Cyber insurance carriers vary, but the most commonly required controls are: MFA (universal), EDR or better (increasingly universal), tested backups (required by most carriers), email security (required by many carriers), IRP (required by most carriers), and security awareness training (required by most carriers). Securafy's Secure-CARE tier satisfies all of these requirements.

Many of the policy and procedure controls (IRP, security policy, data inventory) can be implemented internally with guidance. Technical controls (EDR, ZTA, patch management, DNS filtering) are more effectively implemented and maintained through a managed service. Securafy's Essential-CARE tier covers technical controls; Comply-CARE adds policy and compliance documentation.

Conduct a full review of all 20 controls annually, at minimum. High-risk controls (MFA, backups, patch status) should be verified monthly. Trigger an out-of-cycle review after any security incident, significant infrastructure change, or new compliance obligation.