The SMB Cybersecurity Checklist: 47 Controls Every Ohio Business Needs

Why 47 Controls and Why CIS v8.1

The CIS Controls Version 8.1, published in June 2024, contains 18 controls and 153 safeguards. The full set is built for large enterprises. Most Ohio SMBs don't need all 153.

CIS organizes safeguards into three Implementation Groups. IG1 is the SMB starting point — 56 safeguards for organizations with limited IT expertise. IG2 adds 74 more for companies with dedicated IT staff. IG3 covers the rest, aimed at large enterprises facing advanced persistent threats.

The 47 controls below are a curated subset. They cover everything in IG1 that moves the risk needle, plus selected IG2 and IG3 items that matter for regulated industries — healthcare, financial services, manufacturing, professional services.

Why CIS over NIST CSF 2.0? Specificity. NIST CSF 2.0 describes what a program should look like. CIS Controls tell you what to configure, measure, and verify. For a CEO holding a vendor accountable, you need the second kind.

CIS reports full safeguard implementation defends against roughly 86 percent of attack techniques in the MITRE ATT&CK framework (Secureframe).

How to Read This Checklist

Every control includes three things:

• What it is — a one-sentence description
• Why it matters — the business consequence of skipping it
• How to verify — what to ask your IT team to prove it's in place

Controls are grouped into three priority tiers.

Foundational (1 to 20) are non-negotiables. Without these, you fail any reasonable interpretation of "reasonable security" under Ohio SB 220, and your cyber insurance carrier will likely deny a claim.

Intermediate (21 to 35) cover detection, segmentation, and vendor risk. They limit damage when something gets through.

Advanced (36 to 47) suit businesses with sensitive data, regulatory exposure, or enterprise customer contracts. They separate a mature program from a checkbox exercise.

For verification, you want documented evidence — a config screenshot, policy document, log export, test report. Verbal vendor confirmation is not evidence.

Foundational Controls (1 to 20)

These map to CIS Controls 1 through 11 — minimum cybersecurity hygiene for any Ohio business today.

1. Hardware Asset Inventory Maintain a current list of every device on your network — laptops, desktops, servers, phones, printers, IoT. Why it matters: You can't protect what you don't know exists. Unknown devices are a top ransomware entry point. How to verify: Ask for an asset inventory dated within the last 30 days.

2. Software Asset Inventory Track every application across your environment, including SaaS subscriptions. Why it matters: Unauthorized software introduces unpatched vulnerabilities and licensing risk. How to verify: Request a software inventory with version numbers and an exception list.

3. Multi-Factor Authentication for Email Every email account requires MFA — text codes, authenticator apps, or hardware keys. Why it matters: The FBI's IC3 reported $16.6 billion in cybercrime losses in 2024, with business email compromise a top category (2024 IC3 Annual Report). Email MFA blocks most of these attacks. How to verify: Pull an MFA enrollment report from Microsoft 365 or Google Workspace.

4. MFA for Remote Access VPN, remote desktop, and any external login requires MFA. Why it matters: Stolen passwords are the most common attack vector. MFA neutralizes them. How to verify: Try to log in remotely without MFA and confirm the attempt fails.

5. MFA for Admin Accounts Every IT administrator and privileged account uses MFA, ideally a hardware key. Why it matters: One compromised admin account ends the business. Hardware keys are harder to phish than SMS. How to verify: Audit the admin user list and confirm MFA method per account.

6. Strong Password Policy Minimum 14 characters, no forced expiration unless compromise is suspected, screened against breached passwords. Why it matters: NIST SP 800-63B deprecated the 90-day rotation rule. Long passphrases beat short complex ones. How to verify: Review the password policy in your IdP.

7. Unique Credentials Per User No shared logins. Each employee has their own account. Why it matters: Shared accounts destroy accountability and make offboarding impossible. How to verify: Pull a user list and check for accounts labeled "office," "frontdesk," or similar.

8. Disable Dormant Accounts Within 45 Days Inactive accounts are automatically disabled. Why it matters: Former employees and contractors with active accounts are a top breach vector. How to verify: Request a list of accounts inactive for more than 45 days and confirm their status.

9. Endpoint Detection and Response (EDR) Every laptop, desktop, and server runs a modern EDR agent — not traditional antivirus. Why it matters: Signature antivirus misses modern ransomware. EDR detects behavior. How to verify: Confirm the product (CrowdStrike, SentinelOne, Defender for Endpoint) and check coverage across all endpoints.

10. Patching for Operating Systems Windows, macOS, and Linux receive security patches within 14 days of release. Why it matters: Most ransomware exploits known vulnerabilities with patches available for months. How to verify: Request a patch compliance report showing percentage current on critical updates.

11. Patching for Applications Browsers, Office, PDF readers, and other apps patch on the same cadence. Why it matters: Application vulnerabilities are exploited more often than OS ones. How to verify: Ask which third-party patching tool is used and request a coverage report.

12. Automated Backups for Critical Data File shares, email, databases, and SaaS data back up at least daily. Why it matters: Backups are your only real ransomware insurance. How to verify: Confirm backup software, retention, and last successful backup date per system.

13. Offline or Immutable Backup Copies At least one backup copy is offline, air-gapped, or in immutable cloud storage ransomware can't touch. Why it matters: Modern ransomware hunts and destroys connected backups before encrypting production. How to verify: Ask about immutability settings and offline copy locations.

14. Quarterly Backup Restore Tests Backups are tested by restoring real files four times a year. Why it matters: Untested backups fail at the worst moment. The IBM Cost of a Data Breach Report 2025 puts the global average breach cost at $4.44 million, with recovery time a key driver (IBM 2025). How to verify: Request restore test logs from the last 12 months.

15. Email Filtering and Anti-Phishing Inbound email is filtered for spam, malware, and phishing before reaching inboxes. Why it matters: Email is the entry point for most ransomware and BEC attacks. How to verify: Identify the product and review monthly threat reports.

16. DNS Filtering A DNS-layer tool blocks connections to known malicious domains. Why it matters: Even when a user clicks a phishing link, DNS filtering can stop the attack before it loads. How to verify: Test a known phishing-test domain from a company device.

17. Web Browser Hardening Corporate browsers run with security extensions, restricted plugin installs, and malicious-site blocking. Why it matters: Drive-by downloads and malicious extensions are growing attack categories. How to verify: Review the browser policy in Microsoft Intune, Google Admin, or similar.

18. Security Awareness Training Every employee completes phishing training annually, with quarterly simulated tests. Why it matters: Humans are the most reliable defense and the most reliable failure point. How to verify: Request training completion rates and latest simulation results.

19. Centralized Logging Logs from servers, firewalls, email, and IdPs feed a central location with at least 90 days of retention. Why it matters: Without logs, you can't investigate a breach or prove what was accessed. How to verify: Ask where logs live, retention period, and who reviews them.

20. Documented Incident Response Plan A written plan tells specific people what to do in the first 24 hours of a suspected breach. Why it matters: First-day decisions determine total cost. Improvised responses are expensive. How to verify: Read it. If it doesn't name people, phone numbers, and decision authorities, it's not a real plan.

Intermediate Controls (21 to 35)

These map to CIS Controls 12 through 15 and selected IG2 safeguards — the detection and containment layer.

21. Network Segmentation Servers, finance, and HR sit on separate segments from general user devices and guest Wi-Fi. Why it matters: Segmentation limits how far an attacker moves after compromising one device. How to verify: Request a network diagram showing VLANs and inter-VLAN firewall rules.

22. Firewall with Intrusion Prevention A next-gen firewall inspects traffic for known attack signatures and blocks them. Why it matters: A firewall that only blocks ports is a 1990s firewall. How to verify: Confirm make, model, and active IPS subscriptions.

23. Guest Wi-Fi Isolation Guest wireless is fully isolated from corporate networks. Why it matters: A compromised visitor laptop should not reach your file server. How to verify: Connect to guest Wi-Fi and try to access an internal resource.

24. Vulnerability Scanning Automated scans run monthly internally and weekly against internet-facing assets. Why it matters: You can't patch what you don't know is vulnerable. How to verify: Review the last three scan reports.

25. Remediation Tracking Vulnerabilities are assigned, tracked, and closed within defined timelines by severity. Why it matters: A scan report no one acts on is worse than none — it creates legal liability. How to verify: Ask for the remediation queue and time-to-close metrics.

26. SIEM or Managed Detection and Response (MDR) A SIEM platform or MDR service correlates logs and alerts on suspicious behavior 24/7. Why it matters: Attackers don't keep business hours. The 2025 Verizon DBIR shows most breaches stay undetected for weeks (2025 DBIR). How to verify: Identify the vendor and review a recent alert-handling report.

27. Privileged Access Management (PAM) Admin credentials sit in a vault, checked out only when needed, rotated after use. Why it matters: Standing admin access is the top privilege escalation path for attackers. How to verify: Identify the PAM product and review vaulted accounts.

28. Conditional Access Policies Logins are restricted by location, device compliance, and risk score — blocking sign-ins from countries you don't do business in. Why it matters: Most account compromise attempts originate far from your actual users. How to verify: Review conditional access policies in Microsoft Entra ID or your IdP.

29. Data Loss Prevention (DLP) for Email Outbound email is scanned for sensitive data — SSNs, credit cards, PHI. Why it matters: Most data loss is accidental — an employee emailing the wrong file to the wrong person. How to verify: Test with a dummy SSN sent externally and confirm it's blocked or flagged.

30. Mobile Device Management (MDM) Corporate data on phones and tablets sits in an MDM platform that enforces encryption, screen lock, and remote wipe. Why it matters: A lost phone with unmanaged email access is a breach. How to verify: Confirm enrollment numbers and test remote wipe on a sample device.

31. Encrypted Hard Drives Every laptop and desktop uses full-disk encryption (BitLocker, FileVault). Why it matters: A stolen unencrypted laptop is a reportable breach. An encrypted one usually isn't. How to verify: Pull an encryption compliance report from your endpoint tool.

32. Vendor Risk Assessment Vendors with access to your data are evaluated for security posture before contracting and annually after. Why it matters: Many of the largest breaches in the past five years started at a vendor. How to verify: Review security questionnaire responses from your top five vendors.

33. Security Requirements in Vendor Contracts Tech vendor contracts include security obligations, breach notification timelines, and audit rights. Why it matters: Without contractual obligations, vendors aren't required to tell you when they're breached. How to verify: Read the relevant clauses in your MSP, payroll, and CRM contracts.

34. Secure Configuration Baselines Servers, workstations, and network devices deploy from hardened baselines based on CIS Benchmarks or equivalent. Why it matters: Default configurations prioritize convenience over security. How to verify: Ask which CIS Benchmark version applies and review compliance scoring.

35. Quarterly User Access Reviews Managers recertify their team's access to applications and data every 90 days. Why it matters: Access creep — permissions accumulated as employees change roles — is a quiet but serious risk. How to verify: Review the last quarterly access certification report.

Advanced Controls (36 to 47)

These map to CIS Controls 16 through 18 and IG3-level safeguards. They suit regulated industries, businesses handling significant sensitive data, or those with security obligations to enterprise clients.

36. Penetration Testing An external firm runs annual pen tests against your network and any custom applications. Why it matters: Scans find known issues. Pen tests find the chains of weaknesses a real attacker would exploit. How to verify: Review the latest report and remediation status of findings.

37. Tabletop Exercises Leadership runs at least one incident response tabletop exercise yearly, walking through a realistic breach scenario. Why it matters: CEO, CFO, legal counsel, and IT leader need to know how each other will react before a real event. How to verify: Read the after-action report from the last exercise.

38. Incident Response Retainer A contract with an outside IR firm guarantees expert help within 4 hours. Why it matters: Finding a forensic firm during a live ransomware event takes days you don't have. How to verify: Locate the signed retainer and confirm the SLA.

39. Threat Hunting A security team or service actively searches your environment for signs of compromise that automated tools miss. Why it matters: Sophisticated attackers blend into normal traffic and evade automated detection. How to verify: Request a recent threat hunt report describing scope and findings.

40. Application Whitelisting Critical servers run only pre-approved applications. Everything else is blocked. Why it matters: Whitelisting is one of the few controls that defeats ransomware regardless of variant. How to verify: Identify the product and try to run an unapproved executable.

41. Privileged Workstations for Admins IT administrators use dedicated, hardened workstations for admin tasks, separate from email and browsing. Why it matters: If your admin reads email and runs the domain controller from one laptop, one phishing click ends the company. How to verify: Walk through the admin's workflow and confirm the separation.

42. Data Classification Sensitive data is identified, labeled, and tracked through its lifecycle. Why it matters: You can't apply different protection levels if you don't know what's sensitive. How to verify: Review the classification policy and labeled document samples.

43. Encryption of Data at Rest Customer databases, financial systems, and HR systems encrypt data on disk with managed keys. Why it matters: Application breaches often expose database contents. Encryption renders stolen data unusable. How to verify: Confirm encryption status with the DBA and review key management.

44. Encryption of Data in Transit All internal and external communications use TLS 1.2 or higher. Why it matters: Unencrypted internal traffic gets harvested by attackers once they're inside the network. How to verify: Run a TLS scan against internal applications.

45. Cyber Insurance Aligned to Controls Your cyber policy is reviewed annually and your control posture matches what was attested on the application. Why it matters: Carriers deny claims when attested controls weren't actually in place. How to verify: Compare the most recent application to your actual environment.

46. Board or Executive Reporting The CEO, board, or ownership group receives a quarterly cybersecurity status report. Why it matters: Cybersecurity involves risk tradeoffs only leadership can make. How to verify: Review the last quarterly report.

47. Annual Written Program Review The entire program — policies, controls, vendors, incidents — is reviewed and updated in writing yearly. Why it matters: This is the explicit requirement for Ohio Safe Harbor under ORC 1354.02. Without it, the affirmative defense is unavailable. How to verify: Locate the dated annual review signed by leadership.

Mapping to Ohio Safe Harbor (SB 220)

Ohio Senate Bill 220, codified as Ohio Revised Code Chapter 1354, gives Ohio businesses something few states offer — a legal safe harbor against tort claims arising from a data breach.

Here's what it does. If a customer sues you after a breach, claiming you failed to use reasonable security, you can raise an affirmative defense. It applies if you maintained a written cybersecurity program that "reasonably conforms" to a framework listed in the statute.

Qualifying frameworks under ORC 1354.03 include the NIST Cybersecurity Framework, NIST SP 800-171 and 800-53, FedRAMP, CIS Critical Security Controls, ISO/IEC 27000-series, HIPAA Security Rule, Gramm-Leach-Bliley, FISMA, and PCI DSS (paired with another framework).

Implementing the 47 controls in this checklist and documenting them in a written program puts you in a defensible position.

Three things to understand.

First, this is an affirmative defense, not absolute immunity (IAPP analysis). You still have to prove your program existed and conformed at the time of the breach.

Second, the defense applies only to tort claims under Ohio law in Ohio courts. It does not cover contract claims, statutory claims, federal regulatory actions, or cases in other states.

Third, the law recognizes program scale should match business scale. A 25-person manufacturer isn't expected to match a 10,000-person hospital. "Reasonably conforms" means proportional to your size, data sensitivity, and resources.

For an Ohio SMB the implication is simple. Get the foundational 20 controls in place. Document everything. Review annually. You have a credible safe harbor claim if a breach happens.

How to Use This Checklist with Your Insurance Carrier or IT Provider

Two practical uses beyond self-audit.

With your cyber insurance carrier:

Applications now ask 80 to 200 questions about MFA coverage, EDR deployment, backups, and incident response readiness. Carriers reserve the right to deny claims when answers are inaccurate.

Use this checklist to verify, item by item, that what you attest to matches reality. If the application asks about offline backups and you check yes, control 13 tells you what to confirm with your IT provider.

The stakes are real. Strong control implementation often means 20 to 40 percent lower premiums. Attestation gaps mean claim denials.

With your IT provider:

Send the checklist to your IT team or MSP. Ask them to mark each control implemented, partially implemented, or not implemented, with verification evidence for each.

A good provider welcomes this. A provider that resists, delays, or gives vague answers is telling you something important.

For controls marked not implemented, ask three questions:

• What would it cost to implement in the next 90 days?
• What's the business risk of skipping it?
• What's your recommendation?

You don't have to implement everything immediately. You do have to make informed decisions about what to skip and document why.

Quick-Start Checklist: The Top 10 to Implement First

Do these in the next 90 days. They block the most common attacks against Ohio SMBs and form the core of any defensible safe harbor claim.

1. Turn on MFA for every email account and confirm 100 percent enrollment
2. Turn on MFA for every remote access path — VPN, remote desktop, web portals
3. Turn on MFA with a hardware key for every admin and privileged account
4. Deploy EDR on every laptop, desktop, and server and verify 100 percent coverage
5. Confirm automated daily backups for email, file shares, and critical applications
6. Verify at least one backup copy is immutable or offline
7. Run a successful test restore this quarter and document the result
8. Deploy email security with anti-phishing and malware sandboxing
9. Complete security awareness training for every employee, including leadership
10. Write a one-page incident response plan with names, phone numbers, and the first 10 steps to take when a breach is suspected

Each of these is achievable in 90 days with a competent IT provider. Together they block more than 80 percent of attacks Ohio SMBs face today.

The remaining 37 controls follow the same pattern — implement, verify, document, repeat. Set a 12-month roadmap and review quarterly.

Talk to Securafy

Securafy builds cybersecurity programs for Ohio SMBs that map to the CIS Controls and qualify for Ohio Safe Harbor protection. We're not the cheapest IT provider. We're the one that gives you documented evidence for every control on this list.

Want to know where you stand against these 47 controls? Book a 30-minute strategy call. We'll walk your current posture, identify gaps, and give you a written prioritized plan — whether you work with us or not.

You'll leave with a clear picture of your control coverage, a ranked list of risks for your industry, and a realistic budget for what matters most.

No sales pressure. Just the answers you need to make a good decision.