Cyber hygiene checklist
Cybersecurity is not a product you install once. It is a set of habits practiced daily, weekly, and monthly. This checklist covers the essential practices that prevent the vast majority of cyberattacks.
Every Day
Daily security habits
These five practices should become as automatic as locking your front door. They take minutes but prevent the majority of opportunistic attacks.
Lock your computer when stepping away
Press Windows+L or Ctrl+Command+Q on Mac every time you leave your desk, even for a moment. An unlocked workstation in an office, co-working space, or coffee shop gives anyone physical access to your email, files, and applications. Set your screensaver to activate and require a password after 5 minutes of inactivity as a backup.
Verify unexpected emails before clicking links or opening attachments
Pause before clicking any link or opening any attachment you did not expect. Verify the sender by checking the actual email address (not just the display name), looking for urgency pressure tactics, and confirming requests through a separate communication channel. Phishing emails are the number one entry point for cyberattacks.
Review login notifications and account alerts
Check security notifications from your email provider, banking apps, and cloud services. Investigate any login from an unfamiliar location or device immediately. Enable login notifications for all accounts that support them so you are alerted to unauthorized access in real time.
Use your password manager for every login
Never type passwords from memory or paste them from a sticky note. Use your password manager auto-fill for every login. This ensures you use unique, strong passwords for each account and protects against phishing because the manager will not auto-fill on fake websites.
Disconnect from public Wi-Fi when not in use
If you connected to a public Wi-Fi network at a coffee shop or airport, disconnect when finished and forget the network to prevent automatic reconnection. Always use a VPN when on public networks. Disable auto-join for public Wi-Fi networks in your device settings.
Every Week
Weekly security checks
Set a recurring calendar reminder for these tasks. Consistency is what separates organizations that get breached from those that do not.
Install operating system and application updates
Check for and install updates on all devices: computers, phones, tablets, and routers. Security patches fix known vulnerabilities that attackers actively exploit. Enable automatic updates where possible, but verify weekly that updates are actually installing. Prioritize updates marked as critical or security-related.
Review recent account activity across critical accounts
Log into your email, banking, and cloud storage accounts and review the recent activity or login history. Look for logins from unfamiliar locations, devices you do not recognize, or times when you were not active. Most major services provide an activity dashboard in their security settings.
Verify backup completion
Check that your automated backups completed successfully this week. Open your backup software or cloud backup dashboard and confirm the most recent backup date, size, and status. Investigate any failed or incomplete backups immediately. A backup that is not running is the same as having no backup.
Clear browser data and review extensions
Clear cookies and cached data from your browsers to reduce tracking and remove potentially compromised session tokens. Review installed browser extensions and remove any you no longer use or do not recognize. Malicious browser extensions are a growing attack vector that can steal passwords and session cookies.
Check for unauthorized devices on your network
Review your router admin panel or use a network scanning tool to see all connected devices. Identify and investigate any device you do not recognize. Unauthorized devices on your network could be attackers who have compromised your Wi-Fi password or employees who connected personal devices without authorization.
Every Month
Monthly maintenance tasks
Monthly tasks require more time but address the deeper maintenance that keeps your security posture strong over time.
Run a full antivirus and malware scan
While real-time protection catches most threats, a scheduled full system scan can detect dormant malware, potentially unwanted programs (PUPs), and threats that may have evaded real-time detection. Run the scan overnight if it impacts performance. Review and address any findings immediately.
Review and revoke unused application permissions
Audit which third-party applications have access to your Google, Microsoft, Facebook, and other accounts. Revoke access for any applications you no longer use. Abandoned OAuth connections provide attackers a backdoor into your accounts if the third-party service is compromised.
Test a backup restoration
Select a few files or an entire system image and perform a test restore to verify your backups are working correctly. Over 30% of backup restore attempts fail. Discovering your backups are corrupted during a ransomware attack is the worst time to learn this. Document your test results.
Check for breached credentials
Visit haveibeenpwned.com or use your password manager breach monitoring feature to check if any of your email addresses or passwords have appeared in recent data breaches. Change any compromised passwords immediately and enable MFA on affected accounts.
Review user accounts and access permissions
For businesses: audit active user accounts in all systems. Disable accounts for departed employees, contractors whose projects have ended, and temporary accounts that are no longer needed. Review permission levels to ensure employees only have access to the resources required for their current role.
Update your emergency contacts and incident response plan
Verify that your incident response contacts are current: IT provider phone number, cyber insurance policy number, legal counsel, and key employee contacts. Ensure at least two people know how to access critical systems and recovery procedures. An incident at 2 AM is not the time to search for phone numbers.
Every Quarter
Quarterly deep dives
Quarterly reviews catch the issues that daily habits miss and ensure your security controls are keeping pace with evolving threats.
Conduct security awareness training
Review the latest phishing tactics, social engineering techniques, and security policies with your team. Use real examples of attacks targeting your industry. Run a simulated phishing exercise and track who clicks. Training is most effective when conducted regularly, not as a one-time annual event.
Review and update firewall rules
Audit your firewall configuration to remove rules that are no longer needed, tighten overly permissive rules, and ensure new services are properly protected. Stale firewall rules accumulate over time and create unintended access paths. Document every rule with its business justification.
Perform a vulnerability scan
Run an automated vulnerability scan against your external-facing systems and internal network. Prioritize remediation based on severity (CVSS score), exploitability, and asset criticality. Address critical and high vulnerabilities within 30 days and medium vulnerabilities within 90 days.
Review cyber insurance coverage
Confirm your cyber insurance policy is current and that coverage limits are appropriate for your risk profile. Review policy exclusions and requirements, as many policies now mandate specific security controls like MFA, EDR, and encrypted backups. Non-compliance with policy requirements can result in denied claims.
Let us handle your cyber hygiene
Our managed security services handle patching, monitoring, backup verification, and vulnerability scanning so your team can focus on running the business.
Schedule Free Consultation