The security checklist you'll actually finish.

In our last piece, we talked about why GCC businesses are sitting in the blast radius of a geopolitical conflict — and why that makes cybersecurity urgent, not optional.

This is the practical follow-up. Not the theory. Not the threat landscape. Just the things you can actually do this week to stop being easy prey.

Most small businesses don't get breached by genius hackers. They get breached because of a password that's been reused since 2019, an ex-employee who still has admin access, or software that hasn't been updated in months. The fix for most of this is boring. That's the good news.

Each section below follows the same structure: good is the minimum that makes a real difference. Better takes a bit more effort but dramatically raises the bar. Ideal is where you'd be if you really had your act together. Start wherever you are. Move up when you can.

Passwords

Good

Stop using passwords that a stranger could guess in three tries. That means no 123456, no password, no company name followed by the current year. If your WiFi password is your business name — change it today.

A strong password is at least 12 characters, mixes letters, numbers, and symbols, and isn't reused anywhere else. That last part matters most. When one service gets breached — and they do, regularly — attackers try those credentials everywhere else. If you reuse passwords, one breach becomes five.

Better

Use a password manager. Bitwarden is free and open source. 1Password is excellent for teams. Both generate long random passwords and store them so you don't have to remember anything.

The result: every account gets a unique 20+ character password that you never type manually. You remember one master password. The manager handles the rest. This single change eliminates the most common way businesses get compromised.

Ideal

Password manager plus two-factor authentication on every account that supports it. 2FA means even if someone steals your password, they can't get in without a second factor — usually a code from an app on your phone.

Use an authenticator app (Ente Auth is a solid free pick) rather than SMS codes. SMS can be intercepted through SIM swapping — it's easier than you think. Start with the accounts that matter most: email, banking, cloud storage, your domain registrar, and any admin panels.

Who has access to what

Good

Sit down and list every person who has admin access to your business tools — email, website CMS, social media, cloud storage, accounting software, hosting. If anyone on that list no longer works with you, revoke their access right now.

This is the most overlooked vulnerability in small businesses. People leave. Contractors finish projects. Freelancers move on. But their accounts stay active, often with full admin rights, sometimes with passwords that haven't changed in years.

Better

Apply the principle of least privilege: give people only the access they need to do their job. Your social media manager doesn't need admin access to your hosting. Your bookkeeper doesn't need access to your website backend.

Most platforms — Google Workspace, Microsoft 365, WordPress, Shopify — have role-based access. Use it. If someone's role changes, update their permissions that day.

Ideal

Quarterly access reviews. Every three months, pull up your user lists and verify that every account still needs the access it has. Make it a 30-minute calendar event. Document who has access to what.

And enforce 2FA for every account with admin access — no exceptions. If a team member pushes back on that, explain that one compromised admin account can take down the entire business. That usually ends the conversation.

Software updates

Good

Update your software. All of it. Your CMS, your plugins, your server OS, your laptop OS, your phone. When you see "update available" — don't snooze it.

Most cyberattacks exploit known vulnerabilities — ones that already have patches available. The attackers aren't discovering new flaws. They're scanning for businesses that haven't applied the fix yet. Running outdated software is like leaving your front door open and hoping no one walks by.

Better

Enable automatic updates wherever possible. WordPress can auto-update core, themes, and plugins. Your OS can handle its own patches. Most SaaS tools update themselves. Take advantage of that.

For anything that can't auto-update, set a monthly reminder. Check your website plugins, your server packages, your router firmware. Yes, routers get updates too — and they're frequently targeted.

Ideal

If you manage servers or custom applications, use a vulnerability scanner to flag outdated components. Have a process: scan, prioritize, patch, verify. Critical security updates should be applied within 48 hours of release, not "when we get around to it."

And get rid of software you no longer use. That WordPress plugin you installed three years ago and forgot about? It's still running. It still has vulnerabilities. And it's still a way in. Remove what you're not using.

Backups

Good

Back up your data. If ransomware encrypted your entire system tomorrow morning, would you be able to recover? If the answer is "I'm not sure" — that's a no.

At minimum, make sure your critical files — customer data, financial records, contracts — exist in more than one place.

Better

Follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy offsite. Cloud backup to a different provider than your primary one counts as offsite. An external hard drive in a drawer does too.

Critically: test your backups. A backup you've never restored is a hope, not a plan. Once a quarter, pick a file, restore it, confirm it works. Five minutes that could save your business.

Ideal

Automated daily backups with versioning, stored in a geographically separate location, with documented and tested restore procedures. If you use a website or web application, most hosting providers offer automated daily backups — make sure it's turned on and that you know how to restore from it.

And keep at least one backup that is not connected to your network. If ransomware spreads through your systems, it will try to encrypt your backups too. An offline or air-gapped copy is your last line of defense.

Email security

Good

We covered email fraud in depth in our email security guide and business email compromise piece, so we won't repeat all of that here.

The short version: use a business email domain (not Gmail or Yahoo for work), enable SPF, DKIM, and DMARC on your domain — these prevent others from spoofing your email address — and train your team to never click links in unexpected emails.

Better

Set up email filtering that catches phishing attempts before they reach inboxes. Google Workspace and Microsoft 365 both have built-in protections — make sure they're actually turned on and configured properly.

Establish a verification procedure for any financial request over email. Someone asks for a wire transfer? Call them on a known phone number to confirm. Not the number in the email — a number you already have. This simple step has prevented millions in fraud losses.

Ideal

DMARC set to p=reject, meaning emails that fail authentication are blocked entirely, not just flagged. Regular phishing simulations for your team — not to punish anyone, but to build the habit of pausing before acting.

Insurance

Good

Read your existing insurance policy. Does it cover cyber incidents? Many standard business policies don't. And as we covered in the previous article, many policies have war exclusion clauses that could void your claim entirely if an attack is attributed to a state actor.

Know what's covered and what isn't before you need to file a claim. That's the bare minimum.

Better

Get a dedicated cyber insurance policy. They typically cover incident response costs, data recovery, business interruption, legal fees, and customer notification expenses. For a small business, this can be the difference between recovering from a breach and closing.

Ideal

Cyber insurance plus specialist war risk coverage. Speak to a broker who understands the current threat landscape in the Gulf. Review your policy annually and whenever the geopolitical situation shifts — which, right now, means reviewing it now.

When something goes wrong

Good

Know who you would call. Not in a vague sense — actually have a name and a phone number. If your website goes down at midnight, if you discover data has been exfiltrated, if an employee clicks on something they shouldn't have — who handles it?

If the answer is "I'd figure it out" — that's the wrong answer. During a security incident, every hour of confusion is an hour the attacker has to do more damage.

Better

Write down a basic incident response plan. One page is fine. It should cover:

• Who gets contacted first (IT provider, security firm, management)
• How to isolate affected systems (disconnect from network, change passwords)
• How to communicate with customers if data is involved
• Who contacts your insurance provider
• Where your backups are and how to restore from them

Ideal

A tested plan. Run a tabletop exercise once a year — walk through a scenario as a team. "Our website has been defaced with political messaging. What do we do?" Go through the steps. Find the gaps. Fix them. A plan that's never been tested is just a document.

Your website

Good

Make sure your website uses HTTPS (the padlock in the browser). In 2026, there's no excuse for running without it — most hosting providers include SSL certificates for free.

Change the default admin login URL if you're running WordPress. Bots scan for /wp-admin and /wp-login.php constantly. Moving it to something else is a small change that blocks a large volume of automated attacks.

Better

Put your site behind a CDN/WAF (web application firewall) like Cloudflare. The free tier already provides DDoS protection and basic bot filtering. For a business, the paid tier adds more serious protection at a reasonable price.

Review what data your website collects and where it's stored. Contact forms, customer accounts, payment info — if it's on your server, it needs protecting. If you don't need to store it, don't.

Ideal

Regular security scans. A penetration test at least once a year — especially if you handle customer data or process payments. You want to find the holes before someone else does.

None of this is hard. That's the point.

The gap between "totally exposed" and "reasonably protected" is not a million-dollar security budget. It's a few hours of focused work. Change passwords. Remove old accounts. Update your software. Set up 2FA. Back up your data. Review your insurance.

You don't need to do everything at once. But you need to start. Pick the section where you know you're weakest and fix that today. Then do the next one tomorrow. Within a week, your business will be harder to compromise than 90% of the small businesses around you.

That's not a high bar. But it's a real one. And right now, with the threat level where it is, clearing it matters.

If you want help figuring out where your specific gaps are — or if you want someone to run through this properly with a penetration test and security audit — reach out. We do this for businesses across the Gulf every day.