A practical cybersecurity checklist for Israeli SMBs with no in-house IT team

Plenty of small businesses in Israel run without anyone whose job is IT. The accounts sit in Microsoft 365, a firewall lives in the comms cabinet, laptops get bought when someone needs one, and security is whatever the last person to touch the system happened to set up. That works until it doesn't. What follows is a plain checklist you can work through yourself, grouped by how much difference each item makes, so a business owner or office manager can see where they stand without a technical background. None of it is dramatic. Most of the real gaps in a small business are quiet ones, and the cheap fixes close the biggest holes.

Start by Knowing What You Have

You cannot protect what you have never listed. Spend an afternoon writing down the basics: which laptops and phones touch company data, what cloud services you pay for (Microsoft 365, accounting, CRM, file sharing), who has access to each, and where your important files actually live. Most owners are surprised by this list. An old account for someone who left two years ago, a shared mailbox nobody really owns, a personal cloud drive quietly holding client files. The inventory is not glamorous, but every later decision depends on it, and the gaps it exposes are usually the cheapest ones to close.

Turn On Multi-Factor Authentication Everywhere

If you do one thing from this list, do this. Multi-factor authentication (MFA) means a password alone is not enough to log in; a second step, usually a prompt on your phone, is needed too. It is the single most effective protection against the most common attack of all, where someone gets hold of a password and simply logs in as you. Enable it on Microsoft 365 or Google Workspace first, then on your accounting system, your bank, and anything holding customer data. Use an authenticator app rather than SMS codes where you can, since text messages can be intercepted or redirected to an attacker. International guidance for small businesses, including from CISA, puts MFA at the very top of the list, and that ranking is earned.

Tighten Your Microsoft 365 or Google Workspace

Email and file storage are where most small businesses actually live, and the default settings lean toward convenience over safety. A handful of checks pay off. Make sure MFA is enforced for everyone, not left optional. Keep the number of admin accounts small and separate from daily email. Review who can share files outside the company, and replace broad 'anyone with the link' sharing with something tighter. Turn on the audit log, so that if something does go wrong you can see what happened rather than guess. None of this costs extra on a standard business plan. It is a matter of someone going in and setting it deliberately.

Keep Software Updated, Automatically

A large share of break-ins use a known flaw in software that already had a fix available, sometimes for months. Windows, macOS, web browsers, and business applications all release security updates, and the safest approach is to let them install automatically rather than relying on anyone to remember. The same goes for the quiet devices. Your firewall, your Wi-Fi router, and anything else with an internet connection runs software that needs patching too, and those are the ones most often forgotten because nobody sees them day to day.

Put Real Protection on Every Device

Built-in antivirus is a reasonable floor, but modern threats often slip past simple matching against a list of known bad files. Endpoint protection, often sold as EDR (Endpoint Detection and Response), watches for suspicious behaviour instead, which is what catches newer attacks and ransomware while it is still running. For a small office the practical goal is one consistent protection tool across every laptop and desktop, kept up to date, ideally with someone able to see the alerts it raises. One unmanaged laptop, sitting outside whatever everyone else has, is often all an attacker needs.

Make Backups You Have Actually Tested

A good backup is the difference between a bad week and a closed business. The rule worth remembering is three copies of your data, on two types of storage, with one kept offline or otherwise out of reach. That last copy matters because ransomware deliberately hunts for and encrypts backups that are still connected to the network. And a backup you have never restored from is only a hope. Pick a file, restore it, confirm it opens, and do that a couple of times a year. Microsoft 365 and Google Workspace are not exceptions: they keep the service running, but recovering your own data after an accidental deletion or an attack is your responsibility, and a dedicated backup is what covers it.

Control Remote Access on Purpose

If staff work from home or on the road, how they reach company systems matters a great deal. The dangerous shortcut is exposing an internal system, especially Remote Desktop, directly to the internet; automated scanners find these within hours and hammer them around the clock. The safer path is a VPN protected with MFA, or a Zero Trust approach that grants access to specific applications rather than dropping someone onto the whole network. Whatever you use, it should be a deliberate setup that someone maintains, not a port opened once in a hurry and never revisited.

Sort Out Who Has Access to What

Two quiet risks build up over time. The first is leavers: an employee departs, but their email, files, and shared logins stay live for months. Make account removal part of the day someone leaves, the same way you collect their keys and their laptop. The second is over-access: people accumulate permissions they no longer need as their role shifts. Give each person access to what their job actually requires and review it now and then. These cost nothing but attention, and they shrink the damage any single compromised account can do.

Train the People, Not Just the Machines

Most incidents start with a person clicking something, so a short, honest conversation with your team is worth more than any single product. People should know how to spot a suspicious email, why they should never approve an MFA prompt they did not trigger themselves, and who to tell the moment something feels off. The aim is not to frighten anyone. It is to make reporting a near-miss normal rather than embarrassing, because the cost of a quick false alarm is nothing next to the cost of a click nobody mentioned for a week.

Write Down What to Do When Something Goes Wrong

Even good defences fail sometimes, and the worst moment to start thinking is in the middle of an incident. A single page is enough: who to call first, how to reach your IT support out of hours, which systems matter most, and where the backups are. Knowing in advance that a particular laptop should be unplugged from the network but left switched on, for example, can preserve evidence and limit the spread. The plan does not need to be elaborate. It needs to exist, and to be somewhere you can reach without the network that just went down.

Where this leaves a business without internal IT

Worked through honestly, this checklist tells you something useful. Most small businesses are strong on some items and have quiet gaps on others, and the gaps are rarely the expensive, dramatic ones. They are an unpatched firewall, a backup nobody tested, a former employee's account still live. NetFortress works with Israeli SMBs that have no internal IT team, taking these items off your plate and keeping them maintained for a predictable monthly cost rather than a crisis-driven one. If you want a clear read on where your business actually stands, ask us for a review and we will hand back a prioritised list in plain language.