Skip to main content

Cybersecurity Best Practices Checklist

Cybersecurity Best Practices Checklist

Provided by DTC Inc. | Reviewed Annually | Version 1.0 β€” March 2026

This checklist outlines the cybersecurity practices DTC recommends and, where applicable, actively enforces for all managed clients. Use it to assess your organization's current posture and identify gaps. If you have questions about any item, contact your DTC account team.

πŸ” Identity & Access Control

These controls protect who can log into your systems and what they can access.

\#PracticeWhy It Matters
1**Multi-Factor Authentication (MFA) enabled for all usersusers**Stops 99%+ of password-based attacks β€” even if a password is stolen, attackers can't log in without the second factor 2**MFA enabled for all administratorsadministrators**Admin accounts are the highest-value targets; standard MFA is a minimum requirement 3**No shared user accountsaccounts**Shared accounts prevent accountability and make it impossible to detect or contain a breach 4**Departing employees are offboarded within 24 hourshours**Former employees retain access until accounts are disabled β€” one of the most common and preventable breach vectors 5**Privileged/admin access limited to only those who need itit**Least-privilege principle β€” reducing the number of admin accounts reduces blast radius of any single compromise 6**Password manager in use across the organizationorganization**Enables strong, unique passwords per account without requiring users to remember them 7**No passwords stored in browsers on shared or unmanaged devicesdevices**Browser-saved passwords are easily extracted from an infected machine

πŸ’» Endpoint Security

These controls protect the computers, laptops, and servers your team uses every day.

\#PracticeWhy It Matters
8**Endpoint Detection and Response (EDR) deployed on all devicesdevices**EDR detects malicious activity that traditional antivirus misses β€” including ransomware, credential theft, and lateral movement 9**Operating system and software kept current (patching)**The majority of ransomware attacks exploit known vulnerabilities that had patches available 10**Full disk encryption enabled (BitLocker / FileVault)**If a laptop is lost or stolen, encrypted drives cannot be read without the recovery key 11**Personally-owned (BYOD) devices not used for business without controlscontrols**Unmanaged devices bypass all security tooling and create an uncontrolled access path 12**Screen lock enforced after inactivityinactivity**Prevents physical access to an unlocked device in an office, hotel, or coffee shop

πŸ“§ Email Security

Email is the #1 initial attack vector for phishing, ransomware delivery, and business email compromise (BEC).

\#PracticeWhy It Matters
13**Anti-phishing and anti-malware email filtering activeactive**Filters malicious links and attachments before they reach users' inboxes 14**SPF, DKIM, and DMARC configured on your domaindomain**Prevents attackers from sending email that appears to come from your domain β€” critical for BEC prevention 15**External email warning banners enabledenabled**Visually flags emails from outside your organization, helping users spot impersonation attempts 16**Finance and executive wire/payment requests require verbal verificationverification**BEC attacks specifically target payment workflows β€” a phone call policy stops them cold

🌐 Network Security

These controls protect traffic entering and leaving your network.

\#PracticeWhy It Matters
17**DNS filtering active on all devicesdevices**Blocks connections to known malicious domains β€” stops malware from phoning home even if it executes 18**Guest Wi-Fi network separated from business networknetwork**Visitors and personal devices should never share a network with business systems and data 19**Remote access limited to approved methods onlyonly**Unsanctioned remote access tools (AnyDesk, TeamViewer installed by users) are a common ransomware entry point 20**Firewall active with default-deny outbound rulesrules**Restricts what internal devices can communicate with externally, containing compromised systems

πŸ—„οΈ Backup & Recovery

Backups are your last line of defense. Without tested, isolated backups, a ransomware attack can be catastrophic.

\#PracticeWhy It Matters
21**Regular automated backups of all critical datadata**Manual backups are inconsistent and frequently missed β€” automation ensures continuity 22**Backups stored in a separate, isolated location (offsite or cloud)**Ransomware actively targets and encrypts backup locations β€” isolation prevents total data loss 23**Backup restoration tested at least annuallyannually**An untested backup is not a backup β€” restoration failures are discovered at the worst possible time 24**Backup credentials are separate from primary environment credentialscredentials**If your primary admin account is compromised, backup access should remain intact

πŸŽ“ Security Awareness & Training

People are both the most common attack vector and one of the most effective defenses.

\#PracticeWhy It Matters
25**Security awareness training completed by all staff annuallyannually**Phishing and social engineering attacks rely on untrained users β€” training measurably reduces click rates 26**Simulated phishing campaigns run regularlyregularly**Simulations identify high-risk users who need additional coaching before a real attack occurs 27**Employees know how to report a suspicious email or incidentincident**Fast reporting reduces attacker dwell time β€” the faster IT is notified, the faster containment begins 28**New employee security training included in onboardingonboarding**Security habits form early β€” onboarding is the right time to establish expectations

πŸ“‹ Policies & Compliance

Documented policies create accountability and defensibility β€” especially after an incident.

\#PracticeWhy It Matters
29**Acceptable Use Policy (AUP) in place and signed by all staffstaff**Establishes what is and isn't permitted on company devices and networks 30**Incident response contact and procedure communicated to all staffstaff**Everyone should know who to call and what to do in the first 15 minutes of a suspected incident 31**Cyber liability insurance policy activeactive**Covers breach response costs, notification expenses, legal fees, and business interruption 32**Software and vendor inventory maintainedmaintained**You can't protect what you don't know you have β€” inventory is the foundation of asset security

βœ… How DTC Helps You Meet These Controls

DTC's managed services stack is specifically designed to cover the majority of this checklist automatically. Here's how our core offerings map:

DTC ServiceChecklist Items Covered
Blackpoint Cyber MDR (EDR + SOC)#8 β€” 24/7 endpoint and identity monitoring with active response
Microsoft 365 + Entra ID (MFA/SSO)#1, #2, #3, #5 β€” Identity, MFA, and access control
NinjaOne RMM (Patching + Monitoring)#9, #12 β€” Automated patch management and endpoint health
DNSFilter#17 β€” DNS-layer threat blocking
Microsoft Defender for Office 365#13, #14, #15 β€” Email filtering, anti-phishing, safe links
NinjaOne Backup / Veeam#21, #22, #23, #24 β€” Managed, isolated, tested backups
Huntress Security Awareness Training#25, #26, #27, #28 β€” Phishing simulations and training
BitLocker Management (via Intune)#10 β€” Enforced full disk encryption
Cloudflare ZTNA#19, #20 β€” Zero trust remote access, replaces VPN
DTC Onboarding/Offboarding SOP#4, #7 β€” Standardized account lifecycle management

πŸ“£ How DTC Keeps Clients Informed on Cybersecurity

Beyond deploying and managing security tools, DTC actively educates clients through three ongoing channels:

πŸ”‘ Client Onboarding β€” Security Findings Review

Every new client onboarding includes a review of security-relevant findings specific to their environment. DTC technicians document and walk through identified gaps, misconfigurations, or risks discovered during the onboarding assessment, and provide prioritized recommendations for remediation. This ensures clients understand their starting posture and have a clear roadmap from day one.

πŸ“± Social Media β€” Ongoing Security Awareness

DTC maintains an active social media presence where we regularly publish cybersecurity best practices, threat advisories, and practical guidance written for business owners and non-technical staff. Topics covered include phishing awareness, password hygiene, scam trends, ransomware prevention tips, and timely alerts around emerging threats. Follow DTC on our social channels to stay current between service touchpoints.

🎀 DTC Client Events β€” In-Person Security Education

DTC hosts local events that clients can optionally attend, covering security-relevant topics in an accessible, conversational format. These sessions are designed to help business owners and their teams understand the threat landscape, ask questions directly, and learn practical steps they can take to improve their security posture. Event topics are updated regularly to reflect current threats and client needs. Watch for announcements through your DTC account team or our social media channels.

πŸ“ž Questions about your current security posture? Contact DTC at support@dtctoday.com or submit a ticket through the DTC Client Portal.

DTC's managed services stack is specifically designed to cover the majority of this checklist automatically. Here's how our core offerings map:

DTC ServiceChecklist Items Covered
**Blackpoint Cyber MDR (EDR + SOC)**\#8 β€” 24/7 endpoint and identity monitoring with active response
**Microsoft 365 + Entra ID (MFA/SSO)**\#1, #2, #3, #5 β€” Identity, MFA, and access control
**NinjaOne RMM (Patching + Monitoring)**\#9, #12 β€” Automated patch management and endpoint health
**DNSFilter**\#17 β€” DNS-layer threat blocking
**Microsoft Defender for Office 365**\#13, #14, #15 β€” Email filtering, anti-phishing, safe links
**NinjaOne Backup / Veeam**\#21, #22, #23, #24 β€” Managed, isolated, tested backups
**Huntress Security Awareness Training**\#25, #26, #27, #28 β€” Phishing simulations and training
**BitLocker Management (via Intune)**\#10 β€” Enforced full disk encryption
**Cloudflare ZTNA**\#19, #20 β€” Zero trust remote access, replaces VPN
**DTC Onboarding/Offboarding SOP**\#4, #7 β€” Standardized account lifecycle management

πŸ“ž Questions about your current security posture?Β Contact DTC at support@dtctoday.comΒ or submit a ticket through the DTC Client Portal.

Back to top