The bottom line 80% of successful cyberattacks exploit basic flaws: weak passwords, unpatched systems, absent backups. This checklist covers these fundamentals, and can be implemented in under a week.
Why SMEs are targets
A myth persists: hackers target large companies. In reality, SMEs are preferred targets for two reasons: they have valuable data (clients, finances, contracts) and almost no defenses. In Algeria, this is amplified by low cybersecurity maturity and widespread underestimation of risk.
The 10 actions
1. Enable two-factor authentication (2FA) on all critical accounts. Professional email, cloud, management tools, VPN access. 2FA blocks 99% of password theft attacks. On Microsoft 365 or Google Workspace, activation takes 15 minutes.
2. Update all systems and applications. The most devastating ransomware attacks exploit already-patched vulnerabilities. If your machines still run Windows 7 or outdated software, you're exposed. Enable automatic updates everywhere possible.
3. Test your backups. Having a backup isn't enough. The question is: have you tried restoring from that backup? Test it now. 3-2-1 rule: 3 copies, on 2 different media, with 1 offsite (cloud or external physical).
4. Change all default passwords. Routers, printers, NAS, IP cameras, these devices often ship with default credentials (admin/admin, admin/1234). Bots scan for them constantly. Change them on day of installation.
5. Train your teams on phishing. 85% of attacks start with a phishing email. A 2-hour training session, with real examples, significantly reduces risk.
6. Segment your Wi-Fi network. Create a guest Wi-Fi network separate from your internal network. Visitors, external contractors, and employees' personal devices should not access your servers and printers.
7. Encrypt laptop hard drives. If a laptop is stolen, encryption makes data inaccessible. Windows: BitLocker (free, built-in). Mac: FileVault (enabled by default). Activation: 5 minutes per machine.
8. Inventory your access and remove inactive accounts. Former employees, interns, contractors, how many still have access to your systems? Review quarterly. Every unused account is a potential entry point.
9. Install antivirus/EDR on all endpoints. Basic antivirus no longer suffices against modern threats. Invest in an EDR (Endpoint Detection and Response). Budget: 725–1,450 DA/month per endpoint.
10. Document an incident response plan. What do we do if a machine is infected tomorrow morning? Who do we call? What data is priority? This plan doesn't need to be complex, one A4 page with contacts and steps is enough. But it must exist.
Frequently asked questions
How long does it take to implement this checklist?
For an SME of 20 to 50 endpoints, count 2 to 5 days of work spread over 2 weeks. Some actions (2FA, updates) can be done in a few hours. Team training requires more organization.
What's the minimum budget to secure a 30-person SME?
Budget 43,500–87,000 DA/month for essential tools (EDR, cloud backup, enterprise password manager, training). That's less than the cost of half a day of downtime from an incident.