Cybersecurity Checklist

We’ve created this simple cybersecurity checklist to help you build a strong foundation.

Download PDF (optional)

If you’d like to download this checklist as a PDF, complete the form below.

Asset management

  • You can’t protect what you don’t know you have.
  • Assets means equipment, software, and services.
    • What information can they access, store, and share?


  • You MUST assume your systems will fail:
    • Hardware failure
    • Data corruption
    • User error
    • Cyber-attack
  • Backups must ensure you have a working copy of all data AND system configurations to recover for a partial to total system failure.
  • Backups must be protected against destructive attacks, such as ransomware.

Passwords & authentication

  • Passwords are one of the easiest ways for criminals to gain access to a system.
  • Users often share passwords, and use the same password for multiple purposes.
  • You should provide tools such as password managers to ensure passwords are long, and not re-used.
  • Enable multi-factor authentication wherever possible for added protection.

Patch management

  • Using the inventory from the Asset management process, ensure all operating systems and applications perform regular updates.
  • Don’t assume automatic updates work, or that patch management tools work 100% of the time. Validate the results.
  • To ensure ongoing access to updates, you must budget (and renew) maintenance contracts for all systems and applications.

Access control & authorization

  • Assume that user and system accounts will get compromised. To slow down an attack, you should minimize what each account can access, using a principle called “least privilege”. Only give minimal access to applications and the information someone needs to do their job.
  • Ensure everyone has a distinct account, and their privileges match their role.

Implement protection tools

  • This is intentionally vague as it needs to fit many situations. With the help of a cyber expert, identify technology that can minimize known attacks against your assets and information.
  • Protection, or preventive technologies include antimalware, firewalls, proxies, email gateways, etc.

Encrypt your data

  • Encryption prevents unauthorized access to information and can be applied to data at rest and in transit.
  • Enabling encryption requires planning and should be done by professionals with expertise in the systems to which it will be enabled.

Secure Cloud services and providers

  • Cloud services vary greatly, as well as the acronyms: IaaS, PaaS, SaaS. The difference in each “as a Service” revolves around the roles and responsibilities between your organization and the service provider. Typically, more control you have, the more responsibility you have for security.
  • For critical services, ensure providers can share a SOC2 Type II, or similar security attestation. Also confirm the attestation was performed by a reputable CPA firm, or trusted third-party.
  • When personal information will be stored in the Cloud, ensure it meets all required regulations. For example, using European customer data must comply with GDPR.

Perform constant monitoring

  • Our systems are always connected to the internet, which means criminals can prepare, scan, and launch attacks at any time.
  • We cannot assume our systems are safe at all times. For this reason, we must continuously monitor for anomalies and malicious activities that could slip past our layers of protection.
  • On a positive note, the more you know about your environment, and the more your business is process-oriented, the easier it becomes to identify anomalies and malicious activities.

Create an incident response plan

  • Having backups and knowing how to restore systems is only a small part of a response plan. If your organization has a business continuity plan (BCP), that can be used as a starting point to discuss cyber threats, and their impact on the business, partners, and your customers.
  • It’s important to test incident response plans, which can be done through tabletop exercise, or through more elaborate technical simulations. The important outcomes are to ensure your team knows how to respond, as well as what to communicate to whom.