In March 2023, the FBI's Internet Crime Complaint Center reported that Americans lost over $10.3 billion to cybercrime in 2022 — a 49% increase from the year before. The uncomfortable truth? Most of those losses trace back to failures in basic security practices, not sophisticated zero-day exploits. A solid cyber hygiene checklist would have prevented the majority of them. This post gives you one — not the watered-down, theoretical kind, but the specific, field-tested kind I've used with organizations ranging from 15-person startups to federal contractors.
If you're searching for a cyber hygiene checklist, you probably already suspect your organization has gaps. You're right. Almost every one does. Let's close them.
Why Most Cyber Hygiene Checklists Fail Before They Start
I've reviewed dozens of "cyber hygiene" documents that companies proudly pin to their intranet. Most read like a compliance checkbox exercise. They list vague directives — "use strong passwords," "be careful with email" — and then collect digital dust.
The problem isn't awareness. It's specificity. Telling your employees to "be careful with email" is like telling a pilot to "fly safely." It's technically correct and operationally useless.
The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element, including social engineering, errors, and misuse. That number hasn't budged much in years because organizations keep recycling the same generic advice. What works is a checklist tied to specific, repeatable actions that map to actual threat actor behavior.
The 12-Step Cyber Hygiene Checklist Your Organization Needs
Here's the checklist I recommend. Each step addresses a real attack vector that showed up in breaches reported in 2022 and 2023. I've organized them by priority — do the top items first if you can't do everything at once.
1. Enforce Multi-Factor Authentication Everywhere
Not just on email. On every system that supports it — VPN, cloud storage, HR platforms, financial tools, admin consoles. The Colonial Pipeline ransomware attack in 2021 started with a single compromised password on a VPN account that lacked multi-factor authentication. That one gap led to a $4.4 million ransom payment and fuel shortages across the eastern United States.
If a system doesn't support MFA, document it, flag it, and plan to replace it. No exceptions for executives — they're actually the highest-value targets.
2. Patch Operating Systems Within 48 Hours of Critical Updates
CISA maintains a Known Exploited Vulnerabilities Catalog that lists actively exploited flaws. If a vulnerability shows up there, you have days — not weeks — before threat actors start scanning for unpatched systems. Automate patching wherever you can. Where you can't, assign a named individual responsible for manual updates within 48 hours.
3. Kill Default Credentials on Every Device
Routers, printers, IoT sensors, security cameras, NAS devices — every piece of hardware that ships with admin/admin or similar defaults needs to be reconfigured on day one. Botnets like Mirai built empires on default credentials. This takes minutes per device but prevents catastrophic lateral movement.
4. Run Phishing Simulations Monthly
Annual security training doesn't change behavior. Monthly phishing simulations do. I've seen organizations cut their click-through rates from 32% to under 5% within six months of starting regular simulations. The key is immediate feedback — when someone clicks, they should see a training moment right then, not a scolding email three weeks later.
If you need a structured program, phishing awareness training for organizations provides simulation frameworks and education materials built for exactly this purpose.
5. Implement the Principle of Least Privilege
Every user account should have the minimum access needed to do its job. Period. When I audit small and mid-sized businesses, I routinely find marketing interns with domain admin rights because "IT just gave everyone the same access level." This is how a single credential theft incident becomes a full domain compromise.
Review access rights quarterly. Revoke access the same day someone changes roles or leaves the organization.
6. Back Up Critical Data Using the 3-2-1 Rule
Three copies of your data, on two different media types, with one stored offsite (or offline). Ransomware operators specifically target backup systems — groups like LockBit and BlackCat have been observed deleting shadow copies and connected backups before deploying encryption. Your offline backup is your last line of defense.
Test your restore process quarterly. A backup you've never tested is not a backup. It's a hope.
7. Deploy DNS Filtering
Block known malicious domains at the DNS level. This catches a surprising amount of malware callbacks, phishing redirects, and command-and-control traffic before it ever reaches an endpoint. Solutions exist at every price point, and CISA's Protective DNS service is available to federal civilian agencies.
8. Encrypt Laptops and Mobile Devices
Full-disk encryption should be enabled on every company laptop and mobile device. In 2022, the U.S. Department of Health and Human Services breach portal showed multiple incidents involving unencrypted stolen laptops leading to reportable data breaches. BitLocker on Windows, FileVault on Mac — both are built in and both are non-negotiable on any cyber hygiene checklist.
9. Establish an Incident Response Plan (and Practice It)
You need a written plan that names specific people, specific communication channels, and specific escalation steps. I've walked into breach response situations where the "plan" was a single paragraph in an employee handbook from 2017. That's not a plan.
Run a tabletop exercise at least twice a year. Simulate a ransomware event, a business email compromise, and a stolen laptop scenario. The first time you practice your incident response plan should never be during an actual incident.
10. Segment Your Network
Flat networks are a gift to attackers. Once they're inside, they can reach everything. Network segmentation — separating your POS systems from your corporate email from your guest Wi-Fi from your development environment — limits blast radius. This is a core principle of zero trust architecture, and you don't need a massive budget to start. VLANs and firewall rules get you 80% of the way there.
11. Monitor and Review Logs
If you're not reviewing authentication logs, firewall logs, and endpoint detection alerts, you're flying blind. The median dwell time for attackers — the time between initial compromise and detection — was 21 days in 2022 according to Mandiant's M-Trends report. Every one of those days is a day threat actors are moving laterally, exfiltrating data, and setting up persistence.
At minimum, set alerts for: failed login spikes, new admin accounts, unusual outbound data transfers, and after-hours access to sensitive systems.
12. Train Every Employee, Not Just IT
Your receptionist, your CFO, your warehouse staff — everyone with a company email address is a target. Social engineering doesn't discriminate by department. The FBI IC3 2022 Annual Report documented $2.7 billion in losses from business email compromise alone, and those attacks almost always target non-technical staff in finance and operations.
Build a training program that covers phishing recognition, credential theft tactics, safe browsing, and reporting procedures. Our cybersecurity awareness training program covers all of these areas and is designed for employees at every technical level.
What Is Cyber Hygiene and Why Does It Matter?
Cyber hygiene refers to the routine practices and precautions that individuals and organizations follow to maintain the health of their systems and protect data from compromise. Think of it as the digital equivalent of washing your hands and locking your doors — basic but essential habits that prevent the vast majority of infections and intrusions. A cyber hygiene checklist codifies these habits into repeatable, auditable actions so nothing falls through the cracks.
It matters because sophisticated attacks are expensive. Most threat actors prefer the easy path — an unpatched server, a reused password, an employee who clicks a malicious link. Strong cyber hygiene eliminates that easy path and forces attackers to work harder, increasing the chance they'll move on to a softer target.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's Cost of a Data Breach Report 2022 pegged the average cost of a data breach at $4.35 million globally. In the United States, it was even higher. Organizations with mature security practices — including incident response teams, security awareness programs, and tested playbooks — spent an average of $2.66 million less per breach than those without.
That difference is larger than most organizations' entire annual IT budget. And it comes down to the basics — the exact items on the cyber hygiene checklist above.
I've consulted with a company that lost $380,000 to a business email compromise because they hadn't enabled MFA on their email system. The attacker logged in with credentials purchased on a dark web forum, changed the payment routing for a major vendor invoice, and the money was gone within four hours. MFA — step one on the list — would have stopped it cold.
How to Actually Implement This Checklist
Start With a Gap Assessment
Print this checklist out. Walk through each item with your IT lead or managed service provider. Rate each one: fully implemented, partially implemented, or not started. You'll have your roadmap in 30 minutes.
Assign Owners, Not Departments
"IT is responsible for patching" means nobody is responsible for patching. Name a specific person for each checklist item. Give them authority, a deadline, and a reporting cadence. I've seen more security programs stall from ambiguous ownership than from budget constraints.
Revisit Quarterly
Threats evolve. Your infrastructure changes. New employees join. A cyber hygiene checklist isn't a one-time project — it's a living process. Set a quarterly review meeting. Keep it to 45 minutes. Review each item, check for drift, and update as needed.
Layer in Continuous Training
Technical controls fail without human awareness. The NIST Cybersecurity Framework explicitly calls out awareness and training as a core protective function. Combine your technical checklist with ongoing security awareness education. Monthly phishing simulations, quarterly training refreshers, and real-time alerts about current threat campaigns keep your workforce sharp.
The Zero Trust Connection
If you've heard the term "zero trust" and wondered how it relates to basic cyber hygiene — they're not separate concepts. Zero trust is what happens when you implement every item on this checklist and then apply the underlying philosophy consistently: never trust, always verify.
Least privilege access? That's zero trust. MFA on every system? Zero trust. Network segmentation? Zero trust. Log monitoring? Zero trust. You don't need a seven-figure budget and a consultant army to start your zero trust journey. You need this checklist, executed consistently.
Your Next Move
Print this cyber hygiene checklist. Share it with your leadership team tomorrow morning. Identify your three biggest gaps and assign owners by end of week. Start monthly phishing simulations within 30 days.
If you need help building out your training program, explore our cybersecurity awareness training for comprehensive employee education, and our phishing awareness training for organizations for targeted simulation exercises that measurably reduce your risk.
The threat actors aren't waiting. Neither should you.