Cybersecurity Best Practices Checklist
Provided by DTC Inc. | Reviewed Annually | Version 1.0 — March 2026
This checklist outlines the cybersecurity practices DTC recommends and, where applicable, actively enforces for all managed clients. Use it to assess your organization's current posture and identify gaps. If you have questions about any item, contact your DTC account team.
🔐 Identity & Access Control
These controls protect who can log into your systems and what they can access.
| # | Practice | Why It Matters |
|---|---|---|
| 1 | Multi-Factor Authentication (MFA) enabled for all users | Stops 99%+ of password-based attacks — even if a password is stolen, attackers can't log in without the second factor |
| 2 | MFA enabled for all administrators | Admin accounts are the highest-value targets; standard MFA is a minimum requirement |
| 3 | No shared user accounts | Shared accounts prevent accountability and make it impossible to detect or contain a breach |
| 4 | Departing employees are offboarded within 24 hours | Former employees retain access until accounts are disabled — one of the most common and preventable breach vectors |
| 5 | Privileged/admin access limited to only those who need it | Least-privilege principle — reducing the number of admin accounts reduces blast radius of any single compromise |
| 6 | Password manager in use across the organization | Enables strong, unique passwords per account without requiring users to remember them |
| 7 | No passwords stored in browsers on shared or unmanaged devices | Browser-saved passwords are easily extracted from an infected machine |
💻 Endpoint Security
These controls protect the computers, laptops, and servers your team uses every day.
| # | Practice | Why It Matters |
|---|---|---|
| 8 | Endpoint Detection and Response (EDR) deployed on all devices | EDR detects malicious activity that traditional antivirus misses — including ransomware, credential theft, and lateral movement |
| 9 | Operating system and software kept current (patching) | The majority of ransomware attacks exploit known vulnerabilities that had patches available |
| 10 | Full disk encryption enabled (BitLocker / FileVault) | If a laptop is lost or stolen, encrypted drives cannot be read without the recovery key |
| 11 | Personally-owned (BYOD) devices not used for business without controls | Unmanaged devices bypass all security tooling and create an uncontrolled access path |
| 12 | Screen lock enforced after inactivity | Prevents physical access to an unlocked device in an office, hotel, or coffee shop |
📧 Email Security
Email is the #1 initial attack vector for phishing, ransomware delivery, and business email compromise (BEC).
| # | Practice | Why It Matters |
|---|---|---|
| 13 | Anti-phishing and anti-malware email filtering active | Filters malicious links and attachments before they reach users' inboxes |
| 14 | SPF, DKIM, and DMARC configured on your domain | Prevents attackers from sending email that appears to come from your domain — critical for BEC prevention |
| 15 | External email warning banners enabled | Visually flags emails from outside your organization, helping users spot impersonation attempts |
| 16 | Finance and executive wire/payment requests require verbal verification | BEC attacks specifically target payment workflows — a phone call policy stops them cold |
🌐 Network Security
These controls protect traffic entering and leaving your network.
| # | Practice | Why It Matters |
|---|---|---|
| 17 | DNS filtering active on all devices | Blocks connections to known malicious domains — stops malware from phoning home even if it executes |
| 18 | Guest Wi-Fi network separated from business network | Visitors and personal devices should never share a network with business systems and data |
| 19 | Remote access limited to approved methods only | Unsanctioned remote access tools (AnyDesk, TeamViewer installed by users) are a common ransomware entry point |
| 20 | Firewall active with default-deny outbound rules | Restricts what internal devices can communicate with externally, containing compromised systems |
🗄️ Backup & Recovery
Backups are your last line of defense. Without tested, isolated backups, a ransomware attack can be catastrophic.
| # | Practice | Why It Matters |
|---|---|---|
| 21 | Regular automated backups of all critical data | Manual backups are inconsistent and frequently missed — automation ensures continuity |
| 22 | Backups stored in a separate, isolated location (offsite or cloud) | Ransomware actively targets and encrypts backup locations — isolation prevents total data loss |
| 23 | Backup restoration tested at least annually | An untested backup is not a backup — restoration failures are discovered at the worst possible time |
| 24 | Backup credentials are separate from primary environment credentials | If your primary admin account is compromised, backup access should remain intact |
🎓 Security Awareness & Training
People are both the most common attack vector and one of the most effective defenses.
| # | Practice | Why It Matters |
|---|---|---|
| 25 | Security awareness training completed by all staff annually | Phishing and social engineering attacks rely on untrained users — training measurably reduces click rates |
| 26 | Simulated phishing campaigns run regularly | Simulations identify high-risk users who need additional coaching before a real attack occurs |
| 27 | Employees know how to report a suspicious email or incident | Fast reporting reduces attacker dwell time — the faster IT is notified, the faster containment begins |
| 28 | New employee security training included in onboarding | Security habits form early — onboarding is the right time to establish expectations |
📋 Policies & Compliance
Documented policies create accountability and defensibility — especially after an incident.
| # | Practice | Why It Matters |
|---|---|---|
| 29 | Acceptable Use Policy (AUP) in place and signed by all staff | Establishes what is and isn't permitted on company devices and networks |
| 30 | Incident response contact and procedure communicated to all staff | Everyone should know who to call and what to do in the first 15 minutes of a suspected incident |
| 31 | Cyber liability insurance policy active | Covers breach response costs, notification expenses, legal fees, and business interruption |
| 32 | Software and vendor inventory maintained | You can't protect what you don't know you have — inventory is the foundation of asset security |
✅ How DTC Helps You Meet These Controls
DTC's managed services stack is specifically designed to cover the majority of this checklist automatically. Here's how our core offerings map:
| DTC Service | Checklist Items Covered |
|---|---|
| Blackpoint Cyber MDR (EDR + SOC) | #8 — 24/7 endpoint and identity monitoring with active response |
| Microsoft 365 + Entra ID (MFA/SSO) | #1, #2, #3, #5 — Identity, MFA, and access control |
| NinjaOne RMM (Patching + Monitoring) | #9, #12 — Automated patch management and endpoint health |
| DNSFilter | #17 — DNS-layer threat blocking |
| Microsoft Defender for Office 365 | #13, #14, #15 — Email filtering, anti-phishing, safe links |
| NinjaOne Backup / Veeam | #21, #22, #23, #24 — Managed, isolated, tested backups |
| Huntress Security Awareness Training | #25, #26, #27, #28 — Phishing simulations and training |
| BitLocker Management (via Intune) | #10 — Enforced full disk encryption |
| Cloudflare ZTNA | #19, #20 — Zero trust remote access, replaces VPN |
| DTC Onboarding/Offboarding SOP | #4, #7 — Standardized account lifecycle management |
📞 Questions about your current security posture? Contact DTC at support@dtctoday.com or submit a ticket through the DTC Client Portal.