Q1 is when most businesses run their annual reviews auditing vendors, revisiting budgets, setting goals for the year ahead. It feels productive. And in a lot of ways, it is.
But here’s what most business owners don’t account for: Q1 review cycles create predictable gaps. Attention shifts inward. IT tickets pile up. Security patches get delayed. And by the time Q2 arrives, those gaps are sitting wide open.
Cybercriminals follow business calendars too. They know when organizations are distracted and they plan accordingly.
Before Q2 gets away from you, run through this checklist. It covers the fundamentals that actually prevent incidents, not just the ones that look good in a compliance report.
The Q2 Cybersecurity Checklist for Chicago Businesses
1. Firewall Rules, Reviewed and Current
Your firewall is your first line of defense, but it’s only effective if it reflects your current environment. Rules that made sense two years ago may now be leaving ports open that have no business being accessible.
What to check: Review active rules and remove anything outdated. Confirm your firewall firmware is current. If you’re not sure when it was last audited, that’s your answer, it’s overdue.
2. Software Patching No Gaps in Coverage
Unpatched software is the most common entry point for ransomware and malware attacks. The vulnerability that led to a major breach is often a patch that was available for weeks before the attack.
What to check: Confirm that all operating systems, browsers, and third-party applications are current across every device in your environment, including remote and hybrid workers’ machines. If patching is happening manually or inconsistently, that’s a gap.
3. Multi-Factor Authentication Enforced, Not Optional
Passwords get compromised. MFA is the control that limits the damage when they do. Yet many small businesses still have critical systems email, accounting software, remote access protected by a password alone.
What to check: MFA should be active on email (Microsoft 365 or Google Workspace), VPN and remote access tools, financial platforms, and any application containing client or employee data. “We offer it but don’t require it” is not the same as having it.
4. Phishing Awareness Training Done in the Last 90 Days
Technology stops a lot of attacks. Humans let the rest through. Phishing remains the leading cause of data breaches, and the tactics are evolving AI-generated emails now look far more convincing than the old “Nigerian prince” variety.
What to check: Has your team gone through phishing awareness training in the last quarter? If you’re relying on a once-a-year session, you’re not keeping pace with how fast these tactics change. Simulated phishing tests are one of the most effective ways to identify who needs additional coaching before an attacker does it for you.
5. Incident Response Plan, Written Down and Tested
If a breach happened tomorrow, does your team know what to do in the first hour? Who gets called? What gets shut down? Who notifies clients or regulators?
Most small businesses don’t have a written incident response plan. Fewer still have tested it. For law firms under state bar obligations and financial services firms with regulatory reporting requirements, this isn’t optional it’s a liability.
What to check: A basic incident response plan should cover: how to contain a breach, internal communication steps, client and regulatory notification procedures, and who has decision-making authority. If it doesn’t exist yet, Q2 is the time to build it.
6. Vendor and Third-Party Access Audited
Your security is only as strong as the weakest access point in your environment. Third-party vendors, contractors, and software integrations that have lingering access to your systems represent risk you may not be tracking.
What to check: Review which vendors have access to your network or data. Revoke anything that’s no longer active. Confirm that vendor access follows the principle of least privilege, they should only see what they need to do their job.
7. Backup Systems Tested, Not Just Running
Backups that haven’t been tested are assumptions, not protection. Ransomware attacks frequently target backup systems specifically because attackers know a working backup is the fastest path to recovery.
What to check: When was the last time your backups were actually restored in a test environment? Confirm backups are encrypted, stored offsite or in a secure cloud environment, and verified on a regular schedule not just assumed to be working.
A Note for Law Firms and Financial Services Firms
The stakes on this checklist are higher for regulated industries. Illinois attorneys have professional obligations around client data security. Financial services firms face federal and state-level data protection requirements that carry real penalties.
Running through this checklist isn’t just good practice for these businesses, it’s part of meeting the standard of care your clients and regulators expect. If your current IT provider isn’t proactively helping you stay ahead of these requirements, that’s worth examining.
CMIT Solutions Chicago: Cybersecurity You Don’t Have to Think About
Jeremy Treister and the CMIT Solutions Chicago team have been protecting Chicago businesses since 2008 and in 17+ years serving 200+ clients across the city, we have maintained a zero client data breaches record.
Our cybersecurity services include firewall management, automated patching, MFA deployment, phishing awareness training, managed detection and response, and incident response planning the full stack, managed for you, so your team can stay focused on the work that actually matters.
Q2 is closer than it looks. Let’s make sure your business is ready for it.
Schedule a free cybersecurity consultation with CMIT Solutions Chicago →
CMIT Solutions Chicago provides cybersecurity services, managed IT, and help desk support to small and mid-sized businesses across Chicago. Serving law firms, financial services companies, nonprofits, and more since 2008.
