In 2023, MGM Resorts lost an estimated $100 million after a threat actor called Scattered Spider social-engineered an IT help desk with a ten-minute phone call. No zero-day exploit. No nation-state tooling. Just sloppy basics. That breach — and hundreds like it every year — could have been prevented with a disciplined cyber hygiene checklist that the entire organization actually follows.

This post isn't a fluffy overview. I've spent years watching organizations get breached over the same preventable gaps. What follows are twelve specific, actionable steps grounded in real incident data from the Verizon DBIR, CISA advisories, and FBI IC3 reports. If you're looking for a cyber hygiene checklist you can hand to your team on Monday morning, this is it.

What Is Cyber Hygiene and Why Does Your Checklist Need Teeth?

Cyber hygiene refers to the routine practices and precautions that keep systems, networks, and data reasonably secure. Think of it as the digital equivalent of washing your hands. Simple in concept, catastrophic when skipped.

The problem I see constantly is that most organizations treat cyber hygiene as a one-time project. They buy a tool, run a scan, check a box. Then six months later an employee reuses a breached password and a ransomware crew is inside the network encrypting file shares at 2 AM on a Saturday.

A real cyber hygiene checklist needs teeth — recurring tasks, assigned owners, and consequences for drift. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element such as social engineering or credential theft. That stat alone tells you where to focus.

The 12-Step Cyber Hygiene Checklist for 2026

I've organized these steps in order of impact per dollar spent. The first few are nearly cost-neutral but prevent the majority of breaches I've investigated or studied. Let's go.

1. Enforce Multi-Factor Authentication Everywhere

If you do nothing else on this list, do this. Multi-factor authentication (MFA) blocks over 99% of automated credential-stuffing attacks according to CISA's MFA guidance. That includes email, VPN, cloud admin consoles, and any SaaS platform with access to sensitive data.

Phishing-resistant MFA — FIDO2 hardware keys or passkeys — is the gold standard. SMS codes are better than nothing, but SIM-swapping attacks have made them the weakest option. Push notifications with number matching are a solid middle ground.

2. Run Continuous Phishing Simulations

Phishing is still the number-one initial access vector. You already know this. But knowing it and testing for it are different things.

I recommend monthly phishing simulations that rotate templates — invoice lures, credential harvesting pages, CEO impersonation, QR code phishing. Track click rates, report rates, and repeat-offender rates. Organizations that run consistent simulations see click rates drop from 30%+ to under 5% within six months. If you need a structured program, our phishing awareness training for organizations gives you a repeatable framework your team can deploy immediately.

3. Patch Critical Vulnerabilities Within 72 Hours

The Cybersecurity and Infrastructure Security Agency maintains its Known Exploited Vulnerabilities (KEV) catalog for a reason — these are the bugs threat actors are actively using right now. If a vulnerability appears on that list, you have days, not weeks.

Set up automated alerts for your tech stack. Assign a patch owner for every critical system. Document exceptions. If you can't patch, apply the vendor's recommended mitigation and set a hard deadline for the real fix.

4. Kill Default Credentials and Shared Accounts

I've seen production databases exposed to the internet with admin/admin credentials. In my experience, default passwords on network appliances, IoT devices, and legacy applications are among the easiest wins for attackers — and the easiest fixes for defenders.

Audit every device and application for default credentials quarterly. Eliminate shared accounts entirely. Every action in your environment should be traceable to a named individual. This is a foundational zero trust principle.

5. Implement a Password Policy That Reflects Reality

NIST Special Publication 800-63B changed the game years ago: stop forcing 90-day password rotations and complexity rules that lead to "Summer2026!" on a sticky note. Instead, require long passphrases (16+ characters), check passwords against known breach databases, and pair everything with MFA.

Use a corporate password manager. Mandate it. If employees are choosing their own tools — or worse, reusing personal passwords — you have a credential theft problem waiting to happen.

6. Segment Your Network Like Your Job Depends on It

Flat networks are a ransomware operator's dream. Once inside, they move laterally without resistance. Network segmentation limits blast radius.

At minimum, separate your guest Wi-Fi, IoT devices, production servers, and corporate workstations into distinct VLANs with firewall rules between them. Zero trust architecture takes this further — verify every connection regardless of source — but segmentation is the practical first step.

7. Back Up Using the 3-2-1-1 Rule

Three copies of your data, on two different media types, with one offsite and one immutable (unchangeable even by admins). That last "1" is what separates organizations that recover from ransomware from those that pay the ransom.

Test your restores quarterly. I cannot stress this enough. A backup you've never tested is a hope, not a plan. Time your restore and compare it against your business continuity requirements.

8. Deploy Endpoint Detection and Response (EDR)

Traditional antivirus is dead for anything beyond commodity malware. EDR tools monitor behavior in real time — suspicious PowerShell execution, lateral movement attempts, credential dumping — and can isolate compromised endpoints automatically.

If you're a small business and think EDR is out of reach, managed detection and response (MDR) services provide 24/7 monitoring at a fraction of the cost of an in-house SOC.

9. Require Security Awareness Training for Every Employee

The human element drives the majority of breaches. Security awareness training isn't optional — it's a control, just like a firewall. And it needs to go beyond a once-a-year compliance video that employees click through while checking their phones.

Effective training covers social engineering tactics, credential theft red flags, safe browsing habits, and how to report suspicious activity. Our cybersecurity awareness training program is built around real-world scenarios and updated regularly to address current threat actor techniques.

10. Encrypt Data at Rest and in Transit

Full-disk encryption on every laptop and mobile device. TLS 1.2 or higher for every web-facing service. Encrypted email for sensitive communications. If a device is stolen or traffic is intercepted, encryption is your last line of defense.

Audit your environment for unencrypted data stores. I've found sensitive customer PII sitting in plaintext CSV files on SharePoint more times than I'd like to admit.

11. Review and Restrict Administrative Privileges Monthly

Privilege creep is real. People change roles, accumulate access, and nobody revokes the old permissions. Every admin account is a high-value target for threat actors.

Conduct monthly access reviews. Apply the principle of least privilege: users get only what they need for their current job function. Use just-in-time (JIT) admin access for elevated tasks — no standing admin accounts that sit idle 99% of the time.

12. Build and Test an Incident Response Plan

Your cyber hygiene checklist isn't complete without a plan for when hygiene fails. And it will, eventually. The question is whether your team knows what to do in the first sixty minutes.

Document who calls whom. Define what gets isolated first. Know your legal notification requirements. Run a tabletop exercise every six months — pick a scenario like a ransomware event or a data breach involving customer records, and walk through it step by step. The FBI's IC3 reporting process should be part of that playbook.

How Often Should You Review Your Cyber Hygiene Checklist?

This is the question I get most from IT managers and business owners. Here's the short answer: your cyber hygiene checklist should be reviewed and updated quarterly at minimum, with specific items on daily, weekly, and monthly cycles.

  • Daily: Monitor EDR alerts, review failed login attempts, check backup job completion.
  • Weekly: Apply critical patches, review admin account activity, scan for new shadow IT.
  • Monthly: Run phishing simulations, review access privileges, audit default credentials.
  • Quarterly: Test backup restores, update the incident response plan, conduct a tabletop exercise, reassess the full checklist against new threats.

Lock these cadences into your calendar with assigned owners. A checklist nobody reviews is wallpaper.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. That's not just large enterprises — mid-size and small businesses face proportionally devastating costs that often lead to closure.

The organizations that kept breach costs below average shared common traits: they had an incident response plan that was tested, they used security AI and automation, and they had strong security awareness programs. Every one of those traits maps directly to items on this cyber hygiene checklist.

I've watched companies invest six figures in perimeter security tools while their employees couldn't spot a credential harvesting email. That imbalance is where breaches happen.

Building a Culture, Not Just a Checklist

The hardest part of cyber hygiene isn't the technical controls. It's getting people to care consistently. Here's what I've seen work:

Make reporting easy and rewarded. If an employee reports a suspicious email, thank them publicly. If they click a phishing simulation link, coach them privately. Shame-based security cultures produce underreporting, not better behavior.

Tie security metrics to business outcomes. Show leadership that a 15% reduction in phishing click rate corresponds to a measurable reduction in incident response costs. Speak their language — dollars and risk.

Keep training fresh and relevant. Threat actors evolve constantly. Your training should too. AI-generated voice phishing (vishing), deepfake video calls, and QR code phishing are all surging in 2026. Static training from two years ago doesn't address any of it.

Your Next Move

Print this cyber hygiene checklist. Assign an owner to each of the twelve items. Set review cadences. Measure progress monthly. The gap between organizations that get breached and those that don't is rarely about budget — it's about discipline.

If your team needs structured training to close the human element gap, start with our cybersecurity awareness training for foundational skills and our phishing awareness training for organizations to build resilience against social engineering attacks. Both are built for the threat landscape you're facing right now — not the one from three years ago.

Hygiene isn't glamorous. But the organizations that get it right are the ones that stay out of the headlines.