Cybersecurity Best Practices Checklist
This Cybersecurity Best Practices Checklist is Provided by DTC Inc. | Reviewed Annually | Version 1.0 — March 2026
This checklist outlines the cybersecurity practices DTC recommends and, where applicable, actively enforces for all managed clients. Use it to assess your organization's current posture and identify gaps. If you have questions about any item, contact your DTC account team.
🔐 Identity & Access Control
These controls protect who can log into your systems and what they can access.
| # | Practice | Why It Matters |
|---|---|---|
| 1 | Multi-Factor Authentication (MFA) enabled for all users | Stops 99%+ of password-based attacks — even if a password is stolen, attackers can't log in without the second factor |
| 2 | MFA enabled for all administrators | Admin accounts are the highest-value targets; standard MFA is a minimum requirement |
| 3 | No shared user accounts | Shared accounts prevent accountability and make it impossible to detect or contain a breach |
| 4 | Departing employees are offboarded within 24 hours | Former employees retain access until accounts are disabled — one of the most common and preventable breach vectors |
| 5 | Privileged/admin access limited to only those who need it | Least-privilege principle — reducing the number of admin accounts reduces blast radius of any single compromise |
| 6 | Password manager in use across the organization | Enables strong, unique passwords per account without requiring users to remember them |
| 7 | No passwords stored in browsers on shared or unmanaged devices | Browser-saved passwords are easily extracted from an infected machine |
💻 Endpoint Security
These controls protect the computers, laptops, and servers your team uses every day.
| # | Practice | Why It Matters |
|---|---|---|
| 8 | Endpoint Detection and Response (EDR) deployed on all devices | EDR detects malicious activity that traditional antivirus misses — including ransomware, credential theft, and lateral movement |
| 9 | Operating system and software kept current (patching) | The majority of ransomware attacks exploit known vulnerabilities that had patches available |
| 10 | Full disk encryption enabled (BitLocker / FileVault) | If a laptop is lost or stolen, encrypted drives cannot be read without the recovery key |
| 11 | Personally-owned (BYOD) devices not used for business without controls | Unmanaged devices bypass all security tooling and create an uncontrolled access path |
| 12 | Screen lock enforced after inactivity | Prevents physical access to an unlocked device in an office, hotel, or coffee shop |
📧 Email Security
Email is the #1 initial attack vector for phishing, ransomware delivery, and business email compromise (BEC).
| # | Practice | Why It Matters |
|---|---|---|
| 13 | Anti-phishing and anti-malware email filtering active | Filters malicious links and attachments before they reach users' inboxes |
| 14 | SPF, DKIM, and DMARC configured on your domain | Prevents attackers from sending email that appears to come from your domain — critical for BEC prevention |
| 15 | External email warning banners enabled | Visually flags emails from outside your organization, helping users spot impersonation attempts |
| 16 | Finance and executive wire/payment requests require verbal verification | BEC attacks specifically target payment workflows — a phone call policy stops them cold. And you MUST use a known source for phone verification. Do NOT rely upon phone numbers listed within the email message or signature block; those are most likely fake. |
🌐 Network Security
These controls protect traffic entering and leaving your network.
| # | Practice | Why It Matters |
|---|---|---|
| 17 | DNS filtering active on all devices | Blocks connections to known malicious domains — stops malware from phoning home even if it executes |
| 18 | Guest Wi-Fi network separated from business network | Visitors and personal devices should never share a network with business systems and data |
| 19 | Remote access limited to approved methods only, and to approved users only | Unsanctioned remote access tools (AnyDesk, TeamViewer installed by users) are a common ransomware entry point |
| 20 | Firewall active with default-deny outbound rules | Restricts what internal devices can communicate with externally, containing compromised systems |
🗄️ Backup & Recovery
Backups are your last line of defense. Without tested, isolated backups, a ransomware attack can be catastrophic.
| # | Practice | Why It Matters |
|---|---|---|
| 21 | Regular automated backups of all critical data | Manual backups are inconsistent and frequently missed — automation ensures continuity |
| 22 | Backups stored in a separate, isolated location (offsite or cloud) | Ransomware actively targets and encrypts backup locations — isolation prevents total data loss |
| 23 | Backup restoration tested at least annually | An untested backup is not a backup — restoration failures are discovered at the worst possible time |
| 24 | Backup credentials are separate from primary environment credentials | If your primary admin account is compromised, backup access should remain intact |
🎓 Security Awareness & Training
People are both the most common attack vector and one of the most effective defenses.
| # | Practice | Why It Matters |
|---|---|---|
| 25 | Security awareness training completed by all staff annually | Phishing and social engineering attacks rely on untrained users — training measurably reduces click rates |
| 26 | Simulated phishing campaigns run regularly | Simulations identify high-risk users who need additional coaching before a real attack occurs |
| 27 | Employees know how to report a suspicious email or incident | Fast reporting reduces attacker dwell time — the faster IT is notified, the faster containment begins |
| 28 | New employee security training included in onboarding | Security habits form early — onboarding is the right time to establish expectations |
📋 Policies & Compliance
Documented policies create accountability and defensibility — especially after an incident.
| # | Practice | Why It Matters |
|---|---|---|
| 29 | Acceptable Use Policy (AUP) in place and signed by all staff | Establishes what is and isn't permitted on company devices and networks |
| 30 | Incident response contact and procedure communicated to all staff | Everyone should know who to call and what to do in the first 15 minutes of a suspected incident |
| 31 | Cyber liability insurance policy active | Covers breach response costs, notification expenses, legal fees, and business interruption |
| 32 | Software and vendor inventory maintained | You can't protect what you don't know you have — inventory is the foundation of asset security |
✅ How DTC Helps You Meet These Controls
DTC's managed services stack is specifically designed to cover the majority of this checklist automatically. Here's how our core offerings map:
| DTC Service | Checklist Items Covered |
|---|---|
| Blackpoint Cyber MDR (EDR + SOC) | #8 — 24/7 endpoint and identity monitoring with active response |
| Microsoft 365 + Entra ID (MFA/SSO) | #1, #2, #3, #5 — Identity, MFA, and access control |
| NinjaOne RMM (Patching + Monitoring) | #9, #12 — Automated patch management and endpoint health |
| DNSFilter | #17 — DNS-layer threat blocking |
| Microsoft Defender for Office 365 | #13, #14, #15 — Email filtering, anti-phishing, safe links |
| NinjaOne Backup / Veeam | #21, #22, #23, #24 — Managed, isolated, tested backups |
| Huntress Security Awareness Training | #25, #26, #27, #28 — Phishing simulations and training |
| BitLocker Management (via Intune) | #10 — Enforced full disk encryption |
| Cloudflare ZTNA | #19, #20 — Zero trust remote access, replaces VPN |
| DTC Onboarding/Offboarding SOP | #4, #7 — Standardized account lifecycle management |
📣 How DTC Keeps Clients Informed on Cybersecurity
Beyond deploying and managing security tools, DTC actively educates clients through three ongoing channels:
🔑 Client Onboarding — Security Findings Review
Every new client onboarding includes a review of security-relevant findings specific to their environment. DTC technicians document and walk through identified gaps, misconfigurations, or risks discovered during the onboarding assessment, and provide prioritized recommendations for remediation. This ensures clients understand their starting posture and have a clear roadmap from day one.
📱 Social Media — Ongoing Security Awareness
DTC maintains an active social media presence where we regularly publish cybersecurity best practices, threat advisories, and practical guidance written for business owners and non-technical staff. Topics covered include phishing awareness, password hygiene, scam trends, ransomware prevention tips, and timely alerts around emerging threats. Follow DTC on our social channels to stay current between service touchpoints.
🎤 DTC Client Events — In-Person Security Education
DTC hosts local events that clients can optionally attend, covering security-relevant topics in an accessible, conversational format. These sessions are designed to help business owners and their teams understand the threat landscape, ask questions directly, and learn practical steps they can take to improve their security posture. Event topics are updated regularly to reflect current threats and client needs. Watch for announcements through your DTC account team or our social media channels.
📞 Questions about your current security posture? Contact DTC at support@dtctoday.com or submit a ticket through the DTC Client Portal.