Free Resource

Free Cybersecurity Checklist for Louisiana Small Businesses

18 specific cybersecurity controls every Louisiana small business should have in place. Organized in four tiers — from absolute essentials to operational disciplines. Free and actionable.

Why every Louisiana small business needs this checklist

Verizon's 2024 Data Breach Investigations Report found 43% of cyberattacks now target organizations under 100 employees. The reasons are straightforward: smaller businesses have weaker defenses, hold valuable financial credentials (banking access, QuickBooks logins, vendor portals), and are more likely to pay ransoms because they can't survive a long outage.

This checklist covers the 18 specific cybersecurity controls every Louisiana small business should have in place. It's organized in four tiers — the absolute essentials (anyone without these is exposed), the recommended additions (which most insurers now require to write coverage), the advanced controls (for businesses handling regulated data), and the operational disciplines that turn point-in-time controls into ongoing protection.

Tier 1: Absolute Essentials (anyone without these is exposed)

  1. Multi-Factor Authentication (MFA) on every business account. Email, banking, accounting, CRM, social media, domain registrar. MFA blocks 99%+ of credential-theft attacks. If you take only one action from this list, take this one.
  2. A password manager rolled out to every employee. Bitwarden Business ($3/user/mo), 1Password Business ($8/user/mo), or LastPass Business. Without one, employees reuse passwords. With one, every account gets a unique strong password automatically.
  3. Endpoint Detection and Response (EDR) on every device. Not just antivirus — EDR detects behavior (suspicious process execution, lateral movement) that signature-based antivirus misses. CrowdStrike, SentinelOne, Microsoft Defender for Business, or similar.
  4. Full-disk encryption on all laptops. BitLocker on Windows, FileVault on Mac. Free, built-in. A lost laptop without encryption is a data breach; with encryption, it's just a hardware loss.
  5. Tested backups with verified recovery. Both cloud and offline/immutable copies. "We have backups" isn't enough — most businesses discover their backups didn't work only after a ransomware event. Verify recovery quarterly.

Tier 2: Recommended Additions (most cyber insurers now require)

  1. Email authentication: SPF, DKIM, DMARC set to reject. Without these, attackers can spoof your domain to send phishing emails impersonating you. With DMARC at reject, those spoofed emails get rejected before delivery.
  2. Advanced email filtering. Microsoft Defender for Office 365 (built into M365 Business Premium), Proofpoint Essentials, or Avanan. Catches phishing that the default filters miss.
  3. Security awareness training with phishing simulation. Monthly fake-phishing emails sent to employees, with training for those who click. KnowBe4 is the market leader; multiple alternatives.
  4. Network segmentation: guest Wi-Fi separated from business systems. Customers and visitors shouldn't be able to see your servers or printers from the guest network. Most consumer-grade routers don't support this; business firewalls do.
  5. Written incident response plan. Documented procedure for ransomware, data breach, lost laptop. Insurers want to see one; you want one before an incident, not during.

Tier 3: Advanced Controls (for regulated or high-stakes operations)

  1. Conditional access policies. Block logins from countries you don't operate in, require MFA from new devices, restrict admin actions to managed devices. Available in M365 Business Premium and Azure AD Premium.
  2. Mobile Device Management (MDM). Microsoft Intune, Jamf for Mac. Allows remote wipe of lost/stolen devices, enforces security policies, manages app deployment.
  3. DNS-layer filtering. Cisco Umbrella, DNSFilter, Cloudflare for Teams. Blocks malicious domains before users can connect to them.
  4. Privileged Access Management (PAM). For administrator accounts. Separate admin accounts from daily-use accounts; require just-in-time elevation; log all admin actions.

Tier 4: Operational Disciplines (point-in-time controls fail without these)

  1. Quarterly access reviews. Who has access to what? Should they still have it? Document every quarter.
  2. Monthly patch management with verification. Operating systems, applications, firmware. Most ransomware exploits patches that have been available for months.
  3. Annual cybersecurity policy review and tabletop exercise. Walk through a hypothetical incident with your leadership team. Find the gaps before an attacker does.
  4. Vendor security review. Every vendor with access to your data is a potential breach vector. Review their controls; require Business Associate Agreements where applicable; reassess annually.

How to start: the 30-day quick-win plan

Trying to deploy all 18 at once is overwhelming. Here's the realistic 30-day plan:

Week 1: MFA on email, banking, accounting, and admin accounts. Password manager pilot with 3-5 people.

Week 2: EDR deployment across all devices. Full-disk encryption verification.

Week 3: Backup verification test (actually restore data to a test environment). Email authentication (SPF/DKIM/DMARC) setup.

Week 4: Security awareness training launch with first phishing simulation. Document a basic incident response procedure.

After 30 days you have the absolute essentials in place. Then tackle Tier 2 over the next 60 days.

Frequently asked questions

How much does implementing all 18 controls cost for a small business?

For a 10-person business: roughly $200-$400/month in software licensing (MFA, password manager, EDR, security training platform) plus $300-$800 in initial deployment labor. Many of the Tier 1 controls (MFA, encryption, basic backups) are free — they just need to be configured.

Which controls are required by Louisiana's cyber insurance carriers?

Most carriers now require: MFA on email and remote access, EDR on all endpoints, immutable backups, security awareness training documented, written incident response plan. Without those, many carriers won't quote coverage at all. With them, premiums are often 20-40% lower.

Can we do this ourselves or do we need a managed IT provider?

Tier 1 controls can be deployed by a competent internal IT person or an owner with technical comfort. Tier 2 and beyond typically benefit from managed IT expertise — not because the controls are hard, but because keeping them current (patches, training, monitoring) requires ongoing attention most internal IT teams can't sustain. We offer the full stack as part of our managed IT engagements.

What's the highest-risk control to skip?

MFA. The vast majority of breaches we see start with credential theft — attackers buy stolen passwords on dark web marketplaces and replay them against M365 / Google Workspace / banking. MFA blocks the replay attack regardless of how the password was stolen.

Got questions about your specific situation?

Schedule a free 15-minute discovery call. We'll walk through your specific environment, answer questions about what's covered in this guide, and tell you what (if anything) actually needs to change. No sales pitch.

Schedule a Free Discovery Call →

Related resources