Cybersecurity Checklist for Indonesian SMEs

Start with business risk, not tools

Good security starts by knowing what must be protected. For many SMEs, the most important assets are customer data, invoices, banking access, product files, email accounts, social media accounts, website admin panels, and business documents.

List the systems that would hurt the business if they were lost, stolen, leaked, or locked by ransomware. This creates a clear priority list.

1. Device security checklist

Every PC, laptop, and server used for business should have a basic security baseline.

• Use supported Windows versions and install updates regularly.
• Use antivirus or endpoint protection with regular updates.
• Remove unnecessary software, browser extensions, and old remote access tools.
• Use standard user accounts for daily work and separate administrator accounts for maintenance.
• Enable screen lock and disk encryption where practical.
• Review startup apps and scheduled tasks when devices behave strangely.
• Keep an inventory of business devices, owners, and purpose.

2. Email and account protection

Email is often the main door into a business. Attackers may use phishing to steal passwords, reset other accounts, or trick staff into paying fake invoices.

Use strong unique passwords, multi-factor authentication, recovery email review, and role-based access. Remove access for staff who no longer work with the company. Do not share one email account for every business activity if the account controls payments, marketplace access, or customer data.

3. Backup strategy

Backups protect the business from ransomware, accidental deletion, broken laptops, and human error. Important data should not live in only one place.

Use a combination of cloud storage with version history and offline backup. Test restore at least occasionally. Make sure someone knows how to recover files when the owner is unavailable.

4. Website and online system security

Many SMEs use WordPress, online shops, landing pages, payment plugins, or custom web applications. Website risk can come from outdated plugins, weak admin passwords, exposed admin pages, misconfiguration, and vulnerable components.

Use strong admin passwords, MFA where available, regular updates, trusted themes/plugins, backups, HTTPS, and periodic website security scans. If the website processes customer data, treat it as a business system, not just a brochure.

5. Data classification and DLP planning

Data Loss Prevention (DLP) works better when the business understands its data. Start with simple data classification: public data, internal data, confidential business data, and sensitive customer data.

After classification, define practical policies: who can access which data, where files can be stored, whether USB drives are allowed, whether personal email can receive business files, and how sensitive files should be shared. DLP should support business workflows, not block work randomly.

6. EDR and endpoint protection planning

Endpoint Detection and Response (EDR) helps detect suspicious behavior on laptops, PCs, and servers. For SMEs, the key is not only installing a tool but also knowing who will review alerts, respond to incidents, and update policies.

Before implementation, define monitored devices, alert ownership, response steps, exclusions, and reporting expectations. A security tool without operational process often becomes noisy and ignored.

7. Staff awareness

Many incidents start with normal human behavior: clicking a link, opening an attachment, using a weak password, installing a tool, or sharing a file through the wrong channel. Awareness does not need to be complicated.

Teach staff to verify payment changes, check sender addresses, avoid cracked software, report suspicious messages, and ask before installing unknown tools.

8. Incident response readiness

A small business needs a simple plan before something happens.

• Who should be contacted when a device is suspected to be infected?
• Which accounts must be reset first?
• Where are backups stored?
• Who can approve communication to customers or partners?
• Which devices or servers are critical for daily operation?
• How will evidence such as screenshots, emails, and logs be saved?

Practical monthly routine

Once a month, check updates, backup status, account access, website plugins, antivirus status, and unusual device behavior. Once every few months, review user access and test restoring one important file from backup. Small habits can prevent large incidents.

Related guides

• Incident response guide for small businesses
• Website and data theft risk
• Malware glossary for beginners