Cybersecurity Best Practices Checklist

This Cybersecurity Best Practices Checklist

is Provided by DTC Inc. | Reviewed Annually | Version 1.0 — March 2026

This checklist outlines the cybersecurity practices DTC recommends and, where applicable, actively enforces for all managed clients. Use it to assess your organization's current posture and identify gaps. If you have questions about any item, contact your DTC account team.

🔐 Identity & Access Control

These controls protect who can log into your systems and what they can access.

# Practice Why It Matters

1 Multi-Factor Authentication (MFA) enabled for all users Stops 99%+ of password-based attacks — even if a password is stolen, attackers can't log in without the second factor

2 MFA enabled for all administrators Admin accounts are the highest-value targets; standard MFA is a minimum requirement

3 No shared user accounts Shared accounts prevent accountability and make it impossible to detect or contain a breach

4 Departing employees are offboarded within 24 hours Former employees retain access until accounts are disabled — one of the most common and preventable breach vectors

5 Privileged/admin access limited to only those who need it Least-privilege principle — reducing the number of admin accounts reduces blast radius of any single compromise

6 Password manager in use across the organization Enables strong, unique passwords per account without requiring users to remember them

7 No passwords stored in browsers on shared or unmanaged devices Browser-saved passwords are easily extracted from an infected machine

💻 Endpoint Security

These controls protect the computers, laptops, and servers your team uses every day.

# Practice Why It Matters

8 Endpoint Detection and Response (EDR) deployed on all devices EDR detects malicious activity that traditional antivirus misses — including ransomware, credential theft, and lateral movement

9 Operating system and software kept current (patching) The majority of ransomware attacks exploit known vulnerabilities that had patches available

10 Full disk encryption enabled (BitLocker / FileVault) If a laptop is lost or stolen, encrypted drives cannot be read without the recovery key

11 Personally-owned (BYOD) devices not used for business without controls Unmanaged devices bypass all security tooling and create an uncontrolled access path

12 Screen lock enforced after inactivity Prevents physical access to an unlocked device in an office, hotel, or coffee shop

📧 Email Security

Email is the #1 initial attack vector for phishing, ransomware delivery, and business email compromise (BEC).

# Practice Why It Matters

13 Anti-phishing and anti-malware email filtering active Filters malicious links and attachments before they reach users' inboxes

14 SPF, DKIM, and DMARC configured on your domain Prevents attackers from sending email that appears to come from your domain — critical for BEC prevention

15 External email warning banners enabled Visually flags emails from outside your organization, helping users spot impersonation attempts

16 Finance and executive wire/payment requests require verbal verification BEC attacks specifically target payment workflows — a phone call policy stops them cold. And you MUST use a known source for phone verification. Do NOT rely upon phone numbers listed within the email message or signature block; those are most likely fake.

🌐 Network Security

These controls protect traffic entering and leaving your network.

# Practice Why It Matters

17 DNS filtering active on all devices Blocks connections to known malicious domains — stops malware from phoning home even if it executes

18 Guest Wi-Fi network separated from business network Visitors and personal devices should never share a network with business systems and data

19 Remote access limited to approved methods only, and to approved users only Unsanctioned remote access tools (AnyDesk, TeamViewer installed by users) are a common ransomware entry point

20 Firewall active with default-deny outbound rules Restricts what internal devices can communicate with externally, containing compromised systems

🗄️ Backup & Recovery

Backups are your last line of defense. Without tested, isolated backups, a ransomware attack can be catastrophic.

# Practice Why It Matters

21 Regular automated backups of all critical data Manual backups are inconsistent and frequently missed — automation ensures continuity

22 Backups stored in a separate, isolated location (offsite or cloud) Ransomware actively targets and encrypts backup locations — isolation prevents total data loss

23 Backup restoration tested at least annually An untested backup is not a backup — restoration failures are discovered at the worst possible time

24 Backup credentials are separate from primary environment credentials If your primary admin account is compromised, backup access should remain intact

🎓 Security Awareness & Training

People are both the most common attack vector and one of the most effective defenses.

# Practice Why It Matters

25 Security awareness training completed by all staff annually Phishing and social engineering attacks rely on untrained users — training measurably reduces click rates

26 Simulated phishing campaigns run regularly Simulations identify high-risk users who need additional coaching before a real attack occurs

27 Employees know how to report a suspicious email or incident Fast reporting reduces attacker dwell time — the faster IT is notified, the faster containment begins

28 New employee security training included in onboarding Security habits form early — onboarding is the right time to establish expectations

📋 Policies & Compliance

Documented policies create accountability and defensibility — especially after an incident.

# Practice Why It Matters

29 Acceptable Use Policy (AUP) in place and signed by all staff Establishes what is and isn't permitted on company devices and networks

30 Incident response contact and procedure communicated to all staff Everyone should know who to call and what to do in the first 15 minutes of a suspected incident

31 Cyber liability insurance policy active Covers breach response costs, notification expenses, legal fees, and business interruption

32 Software and vendor inventory maintained You can't protect what you don't know you have — inventory is the foundation of asset security

✅ How DTC Helps You Meet These Controls

DTC's managed services stack is specifically designed to cover the majority of this checklist automatically. Here's how our core offerings map:

DTC Service Checklist Items Covered

Blackpoint Cyber MDR (EDR + SOC) #8 — 24/7 endpoint and identity monitoring with active response

Microsoft 365 + Entra ID (MFA/SSO) #1, #2, #3, #5 — Identity, MFA, and access control

NinjaOne RMM (Patching + Monitoring) #9, #12 — Automated patch management and endpoint health

DNSFilter #17 — DNS-layer threat blocking

Microsoft Defender for Office 365 #13, #14, #15 — Email filtering, anti-phishing, safe links

NinjaOne Backup / Veeam #21, #22, #23, #24 — Managed, isolated, tested backups

Huntress Security Awareness Training #25, #26, #27, #28 — Phishing simulations and training

BitLocker Management (via Intune) #10 — Enforced full disk encryption

Cloudflare ZTNA #19, #20 — Zero trust remote access, replaces VPN

DTC Onboarding/Offboarding SOP #4, #7 — Standardized account lifecycle management

📣 How DTC Keeps Clients Informed on Cybersecurity

Beyond deploying and managing security tools, DTC actively educates clients through three ongoing channels:

🔑 Client Onboarding — Security Findings Review

Every new client onboarding includes a review of security-relevant findings specific to their environment. DTC technicians document and walk through identified gaps, misconfigurations, or risks discovered during the onboarding assessment, and provide prioritized recommendations for remediation. This ensures clients understand their starting posture and have a clear roadmap from day one.

📱 Social Media — Ongoing Security Awareness

DTC maintains an active social media presence where we regularly publish cybersecurity best practices, threat advisories, and practical guidance written for business owners and non-technical staff. Topics covered include phishing awareness, password hygiene, scam trends, ransomware prevention tips, and timely alerts around emerging threats. Follow DTC on our social channels to stay current between service touchpoints.

🎤 DTC Client Events — In-Person Security Education

DTC hosts local events that clients can optionally attend, covering security-relevant topics in an accessible, conversational format. These sessions are designed to help business owners and their teams understand the threat landscape, ask questions directly, and learn practical steps they can take to improve their security posture. Event topics are updated regularly to reflect current threats and client needs. Watch for announcements through your DTC account team or our social media channels.

📞 Questions about your current security posture? Contact DTC at support@dtctoday.com or submit a ticket through the DTC Client Portal.

#	Practice	Why It Matters
1	Multi-Factor Authentication (MFA) enabled for all users	Stops 99%+ of password-based attacks — even if a password is stolen, attackers can't log in without the second factor
2	MFA enabled for all administrators	Admin accounts are the highest-value targets; standard MFA is a minimum requirement
3	No shared user accounts	Shared accounts prevent accountability and make it impossible to detect or contain a breach
4	Departing employees are offboarded within 24 hours	Former employees retain access until accounts are disabled — one of the most common and preventable breach vectors
5	Privileged/admin access limited to only those who need it	Least-privilege principle — reducing the number of admin accounts reduces blast radius of any single compromise
6	Password manager in use across the organization	Enables strong, unique passwords per account without requiring users to remember them
7	No passwords stored in browsers on shared or unmanaged devices	Browser-saved passwords are easily extracted from an infected machine

#	Practice	Why It Matters
8	Endpoint Detection and Response (EDR) deployed on all devices	EDR detects malicious activity that traditional antivirus misses — including ransomware, credential theft, and lateral movement
9	Operating system and software kept current (patching)	The majority of ransomware attacks exploit known vulnerabilities that had patches available
10	Full disk encryption enabled (BitLocker / FileVault)	If a laptop is lost or stolen, encrypted drives cannot be read without the recovery key
11	Personally-owned (BYOD) devices not used for business without controls	Unmanaged devices bypass all security tooling and create an uncontrolled access path
12	Screen lock enforced after inactivity	Prevents physical access to an unlocked device in an office, hotel, or coffee shop

#	Practice	Why It Matters
13	Anti-phishing and anti-malware email filtering active	Filters malicious links and attachments before they reach users' inboxes
14	SPF, DKIM, and DMARC configured on your domain	Prevents attackers from sending email that appears to come from your domain — critical for BEC prevention
15	External email warning banners enabled	Visually flags emails from outside your organization, helping users spot impersonation attempts
16	Finance and executive wire/payment requests require verbal verification	BEC attacks specifically target payment workflows — a phone call policy stops them cold. And you MUST use a known source for phone verification. Do NOT rely upon phone numbers listed within the email message or signature block; those are most likely fake.

#	Practice	Why It Matters
17	DNS filtering active on all devices	Blocks connections to known malicious domains — stops malware from phoning home even if it executes
18	Guest Wi-Fi network separated from business network	Visitors and personal devices should never share a network with business systems and data
19	Remote access limited to approved methods only, and to approved users only	Unsanctioned remote access tools (AnyDesk, TeamViewer installed by users) are a common ransomware entry point
20	Firewall active with default-deny outbound rules	Restricts what internal devices can communicate with externally, containing compromised systems

#	Practice	Why It Matters
21	Regular automated backups of all critical data	Manual backups are inconsistent and frequently missed — automation ensures continuity
22	Backups stored in a separate, isolated location (offsite or cloud)	Ransomware actively targets and encrypts backup locations — isolation prevents total data loss
23	Backup restoration tested at least annually	An untested backup is not a backup — restoration failures are discovered at the worst possible time
24	Backup credentials are separate from primary environment credentials	If your primary admin account is compromised, backup access should remain intact

#	Practice	Why It Matters
25	Security awareness training completed by all staff annually	Phishing and social engineering attacks rely on untrained users — training measurably reduces click rates
26	Simulated phishing campaigns run regularly	Simulations identify high-risk users who need additional coaching before a real attack occurs
27	Employees know how to report a suspicious email or incident	Fast reporting reduces attacker dwell time — the faster IT is notified, the faster containment begins
28	New employee security training included in onboarding	Security habits form early — onboarding is the right time to establish expectations

#	Practice	Why It Matters
29	Acceptable Use Policy (AUP) in place and signed by all staff	Establishes what is and isn't permitted on company devices and networks
30	Incident response contact and procedure communicated to all staff	Everyone should know who to call and what to do in the first 15 minutes of a suspected incident
31	Cyber liability insurance policy active	Covers breach response costs, notification expenses, legal fees, and business interruption
32	Software and vendor inventory maintained	You can't protect what you don't know you have — inventory is the foundation of asset security

DTC Service	Checklist Items Covered
Blackpoint Cyber MDR (EDR + SOC)	#8 — 24/7 endpoint and identity monitoring with active response
Microsoft 365 + Entra ID (MFA/SSO)	#1, #2, #3, #5 — Identity, MFA, and access control
NinjaOne RMM (Patching + Monitoring)	#9, #12 — Automated patch management and endpoint health
DNSFilter	#17 — DNS-layer threat blocking
Microsoft Defender for Office 365	#13, #14, #15 — Email filtering, anti-phishing, safe links
NinjaOne Backup / Veeam	#21, #22, #23, #24 — Managed, isolated, tested backups
Huntress Security Awareness Training	#25, #26, #27, #28 — Phishing simulations and training
BitLocker Management (via Intune)	#10 — Enforced full disk encryption
Cloudflare ZTNA	#19, #20 — Zero trust remote access, replaces VPN
DTC Onboarding/Offboarding SOP	#4, #7 — Standardized account lifecycle management