This isn’t a theoretical framework or a compliance document. It’s a practical checklist — the controls that make the actual difference between a business that weathers a cyberattack and one that doesn’t. Run through it honestly for your own organization. Every item you can’t check is a gap that a motivated attacker can exploit.
Identity and Access
- ☐ Multi-factor authentication enabled on all email accounts
- ☐ MFA enabled on VPN and remote access
- ☐ MFA enabled on all cloud services (Microsoft 365, Google Workspace, AWS, Azure)
- ☐ MFA enabled on all administrative accounts
- ☐ No shared administrator credentials — every admin has their own named account
- ☐ Privileged accounts not used for day-to-day tasks
- ☐ Offboarding process removes access within 24 hours of termination
- ☐ Password policy enforces minimum length (12+ characters) and complexity
- ☐ Password manager deployed for staff
Endpoint Security
- ☐ Endpoint Detection and Response (EDR) deployed on all workstations and servers
- ☐ EDR alerts are being monitored — not just deployed
- ☐ All endpoints running supported operating systems (Windows 10 end of support: October 2025)
- ☐ Patch management on a defined cycle — monthly at minimum
- ☐ Automatic screen lock after inactivity on all devices
- ☐ Full disk encryption enabled on all laptops
- ☐ Mobile device management (MDM) for company mobile devices
Network Security
- ☐ Next-generation firewall deployed and actively managed
- ☐ Firewall firmware current
- ☐ Guest WiFi network isolated from corporate network
- ☐ Network segmentation separating critical systems from general user traffic
- ☐ Remote access through VPN, not direct RDP exposure
- ☐ RDP not exposed directly to the internet
- ☐ Unused ports and services disabled on network devices
- ☐ Default credentials changed on all network devices
Email Security
- ☐ Advanced threat protection enabled on email (sandboxing, link detonation)
- ☐ SPF, DKIM, and DMARC records configured for your domain
- ☐ External email warning banners enabled
- ☐ Quarantine review process for flagged messages
- ☐ Anti-phishing simulation running at least quarterly
Backup and Recovery
- ☐ Backups running on a defined schedule and verified daily
- ☐ Backups stored off-site or in the cloud — not just on a local drive
- ☐ Air-gapped or immutable backup copy that ransomware cannot reach
- ☐ Backup restoration tested in the last 90 days — not just assumed to work
- ☐ Recovery Time Objective (RTO) defined for critical systems
- ☐ Recovery Point Objective (RPO) defined for critical systems
User Awareness
- ☐ Security awareness training completed in the last 12 months
- ☐ Phishing simulation results tracked and improving
- ☐ Clear process for staff to report suspicious emails
- ☐ Wire transfer and financial request verification process — verbal confirmation required for changes
- ☐ New employee security onboarding covers phishing, password hygiene, and incident reporting
Incident Response
- ☐ Incident response plan documented
- ☐ Key contacts (IT, legal, insurance, law enforcement) documented and accessible off-network
- ☐ Cyber liability insurance in place and limits reviewed recently
- ☐ Tabletop exercise conducted in the last 12 months
- ☐ Staff know who to call first when they suspect an incident
Your Score
Count your unchecked items. One to five gaps represents a manageable risk posture that needs attention. Six to fifteen gaps represents significant exposure that should be addressed on a prioritized schedule. More than fifteen unchecked items represents a risk posture that a determined attacker — or an opportunistic ransomware campaign — can exploit.
Integration Technologies conducts security assessments for businesses across Orange County and Southern California. If you want an engineer to walk through this checklist with you and tell you exactly what addressing each gap looks like — time, cost, and priority — we’ll do it for free.