Small Business Cyber Hygiene Series: Part 2: Know What You Have (Identify)

Introduction

Cybersecurity starts with knowing what you have. Whether you’re running a small business or simply managing your own digital life, you can’t protect assets you’ve lost track of. Most risks come not from advanced attackers but from the everyday unknowns: forgotten accounts, old devices, unmanaged apps, and data spread across laptops, inboxes, and cloud services.

This article breaks down the Identify function of the NIST Cybersecurity Framework and shows how small and mid‑sized businesses, and anyone managing their own digital footprint, can build a simple, sustainable inventory of their technology, accounts, and data.

Why “Identify” Comes First

Before you can secure anything, you need a clear picture of:

  • What devices you own
  • What accounts exist
  • What software and cloud services you rely on
  • Where your important data lives
  • Who has access to what

Most small businesses grow organically — adding tools, apps, and accounts as needed. Over time, this creates blind spots that attackers exploit. The Identify step closes those gaps.

Why SMBs Struggle With Visibility

Small businesses rarely have formal asset management processes. Instead, they rely on memory, tribal knowledge, or “we’ll figure it out when something breaks.” That approach works until:

  • An employee leaves and still has access
  • A device gets lost or stolen
  • A cloud subscription renews automatically
  • A forgotten admin account becomes an entry point
  • A ransomware attack hits a system no one realized was critical

Visibility isn’t about documentation for documentation’s sake — it’s about reducing the unknowns that create unnecessary risk.

What You Need to Track (The Essentials)

You don’t need a complex system. A simple spreadsheet or lightweight tool is enough. Focus on these four categories:

1. Devices (Laptops, Desktops, Phones, Tablets)

Track:

  • Device type and owner
  • Operating system
  • Serial number (optional but helpful)
  • Whether it’s encrypted
  • Whether it’s backed up
  • Whether it’s still in use

Why it matters:
Lost, stolen, or unpatched devices are one of the most common SMB security failures — and one of the easiest to prevent.

2. Accounts (Email, Admin, Cloud Services)

Track:

  • User accounts (active and inactive)
  • Admin accounts
  • Shared accounts
  • Service accounts
  • Who has access to what

Why it matters:
Attackers love old accounts, shared passwords, and unused admin privileges. Cleaning these up dramatically reduces risk.

3. Applications & Cloud Services

Track:

  • Software installed on each device
  • Cloud apps (Microsoft 365, Google Workspace, QuickBooks, CRM, etc.)
  • Subscription owners
  • Renewal dates
  • MFA status

Why it matters:
Shadow IT — tools employees sign up for without approval — creates blind spots and data sprawl.

4. Data (Where It Lives & Who Can Access It)

Track:

  • What data do you store
  • Where it’s stored (devices, cloud, email, external drives)
  • Who has access
  • Whether it’s backed up

Why it matters:
If you don’t know where your important data lives, you can’t protect it — or recover it.

A Simple Monthly Habit to Stay Organized

You don’t need a full‑time IT team. Just build a recurring routine:

Monthly

  • Review active accounts
  • Confirm devices are still in use
  • Remove unused apps
  • Check for new cloud subscriptions

Quarterly

  • Validate your inventory
  • Remove old admin access
  • Update your data map

Annually

  • Conduct a full inventory refresh
  • Archive or decommission old systems

Small, consistent habits beat large, inconsistent efforts every time.

Practical Tools to Help (Optional, Not Required)

You can start with a spreadsheet, but lightweight tools make the process easier:

  • Device inventory tools
  • Password managers (for account visibility)
  • Cloud dashboards (Microsoft 365, Google Workspace)
  • Backup dashboards

SQ Risk is happy to assist with identifying the business requirements and recommending the right-sized tools and solutions.

How This Fits Into Cyber-Hygiene

Cyber-hygiene starts with awareness. You can’t clean what you can’t see. By identifying your assets, accounts, and data, you lay the groundwork for every other security practice.

Key Takeaway

Visibility is the foundation of cybersecurity. When you know what you have — and what you don’t — you can protect your business with confidence, reduce risk, and respond faster when something goes wrong.

Ready to Strengthen Your Cyber-Hygiene?

If you’d like help assessing your current security posture, improving your cyber-hygiene practices, or building a Security-First culture, SQ Risk is here to support you.

Contact SQ Risk for a consultation

Continue to the next article in the series

Small Business Cyber Hygiene Series

A practical, step‑by‑step guide based on NIST CSF + CIS Controls IG1.

Start Here:

  1. Introduction: Why Cyber‑Hygiene Matters
  2. Know What You Have (Identify) (You are here)

Next Articles:
3. Protect Access: Passwords, MFA, and Accounts
4. Secure Your Devices: Updates & Endpoint Security
5. Back Up What Matters: The 3‑2‑1 Rule
6. Defend Your Inbox: Phishing & Email Security
7. Monitor for Trouble: Detection Basics
8. Respond Effectively: What To Do When Something Goes Wrong
9. Recover Quickly: Getting Back to Normal
10. Build a Security‑First Culture
11. Bonus: Safe Use of AI for Small Businesses
12. Cyber‑Hygiene Checklist: A One‑Page Summary

©2026 SQ Risk Management Solutions LLC. All rights reserved.