Cybersecurity Checklist 2026 — Secure Everything in Minutes

Cybersecurity for free, Career, Beginners

Most cybersecurity guides tell you what to do in general terms. This one gives you three specific, actionable checklists you can work through item by item — for personal security, small business security, and developer/web application security. Every item is prioritised (Critical/High/Medium/Ongoing) and linked to a full guide for anything that needs more explanation.

When I started learning cybersecurity, I didn’t realise how many basic gaps I had — reused passwords, no proper backups, and almost no visibility into my own security. This checklist is based on fixing those exact mistakes step by step.

Use these checklists to audit your current security posture, identify gaps, and track your progress. A "Critical" item left unchecked is an open door to the most common attacks. Work top-down, fix Critical items first, then High, then Medium.

Most real-world attacks don’t happen because of advanced hacking — they happen because one or two of these basic items were missed.

How to use these checklists: Read each item, assess whether you have it in place, and mark it complete. For any item you are unsure about, click the linked guide for full context. Revisit quarterly — new devices, new accounts, new employees, and new vulnerabilities mean security posture changes over time. Critical items should be checked monthly.

Jump to Your Checklist:

Personal / Individual Security Checklist
Small Business Security Checklist
Developer / Web Application Security Checklist
How to score your security posture

👤

Personal / Individual Security Checklist 2026

18 items

🔑 Account Security

MFA enabled on email accounts

Enable multi-factor authentication on every email account using an authenticator app — not SMS. Email is the master key to every other account. MFA Guide

Critical

MFA enabled on banking and financial accounts

Use authenticator app MFA on all banking, investment, and payment platforms. Direct financial loss risk if compromised.

Critical

Password manager installed and in use

Bitwarden (free) or 1Password. Every account has a unique randomly generated password. You remember only the master password. Password Guide

Critical

No password reuse across accounts

Every account has a unique password. Credential stuffing from one breach cannot cascade to other accounts.

Critical

Passkeys enabled on supported services

Enable passkeys on Google, Apple, GitHub, PayPal, and any service that supports them. More secure and easier than password+MFA. Passkeys Explained

High

💾 Data Protection

Important data backed up offline

Photos, documents, and irreplaceable files backed up to an external drive or cloud with versioning. Offline backup protects against ransomware. Ransomware Guide

High

Full-disk encryption enabled on all devices

BitLocker (Windows), FileVault (Mac), default encryption on Android/iOS. Protects data if device is lost or stolen.

High

Email addresses checked on haveibeenpwned.com

Check all email addresses for breach exposure. Register for free notifications. Change passwords for any breached accounts. Dark Web Guide

High

🌐 Network and Device Security

All devices running automatic updates

OS, browsers, and all apps set to auto-update. 33% of breaches exploit known, patched vulnerabilities.

Critical

Home router default credentials changed

Change admin password from factory default. Update router firmware. Disable UPnP if not needed. Router Security Guide

High

VPN used on public WiFi

Use a reputable VPN (ProtonVPN free tier, Mullvad) on cafe, airport, and hotel WiFi to encrypt traffic. VPN Guide

Medium

🎣 Phishing and Social Engineering Defence

SLAM method applied to all unexpected emails

Check Sender domain, Links (hover before clicking), Attachments (expected?), Message (urgency, unusual requests). Phishing Guide

High

Unexpected MFA push notifications rejected and reported

Any MFA prompt you did not initiate is an attack attempt. Never approve to "make it stop." Report to account security.

Critical

Aadhaar locked when not in use (India)

Lock your Aadhaar biometrics via mAadhaar app or uidai.gov.in. Unlock only when needed for authentication. Identity Theft Guide

High

Credit report checked annually (all bureaus)

CIBIL, Experian, Equifax, CRIF High Mark (India). Unfamiliar accounts or inquiries may indicate identity theft.

Ongoing

Financial account activity reviewed monthly

Check bank and credit card statements for unfamiliar charges, especially small test charges (₹1-10) from unknown merchants.

Ongoing

🏢

Small Business Security Checklist 2026

20 items

Small businesses are often targeted not because they’re valuable, but because they’re easier to breach.

🔑 Identity and Access

MFA enforced on all business email accounts

Every team member's business email has MFA enabled with an authenticator app. No exceptions. MFA Setup Guide

Critical

Business password manager deployed for all staff

Bitwarden Teams or 1Password Business. Every shared and individual business account has a unique strong password. No shared passwords in spreadsheets or chat.

Critical

Access revoked immediately for all departed employees

On last day: revoke email, cloud storage, business applications, VPN, and any shared accounts. Maintain an offboarding checklist.

Critical

Least privilege applied to all employee accounts

Each employee accesses only what their role requires. Finance team doesn't need CRM admin. Delivery staff don't need accounting access. Zero Trust Guide

High

💾 Backups and Recovery

3-2-1 backup rule implemented

3 copies, 2 media types, 1 offline/off-site. Offline copy physically disconnected from network when not backing up. Ransomware Backup Strategy

Critical

Backup restoration tested quarterly

Actually restore from backup to verify it works. A backup never tested is not a real backup. Document restoration time.

High

🌐 Network Security

Business router default credentials changed and firmware updated

Factory defaults are documented publicly. Quarterly firmware update check. Disable unused services. Firewall Guide

Critical

Separate guest WiFi for visitors and IoT devices

Customer WiFi and IoT devices on isolated guest network. Cannot access business network segment. IoT Security Guide

High

All software and devices on automatic updates

OS, applications, antivirus, and accounting software. Enable automatic updates. Monthly audit that updates are running.

Critical

📧 Email and Communication Security

Business email platform with security features enabled

Google Workspace or Microsoft 365 with spam filtering, external email banners, and link scanning enabled. SMB Security Guide

High

Payment verification protocol documented and trained

Written policy: any bank account change or payment above threshold requires verbal confirmation on a known number. BEC prevents fraud. BEC Prevention

Critical

👥 Employee and Process Security

Annual security awareness training completed by all staff

Phishing recognition, social engineering awareness, password hygiene. Free resources: KnowBe4 free tier, Google Phishing Quiz.

High

One-page incident response plan written and accessible

Who to call, what to do if email is compromised, what to do if ransomware hits. Printed copy accessible offline. Incident Response

High

Customer personal data inventory completed

Know what personal data you hold, where it is stored, and what your DPDP Act (India) obligations are if breached. DPDP Act Obligations

High

Endpoint security deployed on all business devices

Microsoft Defender enabled and updated (Windows), or paid EDR (Malwarebytes Teams, Bitdefender GravityZone for SMB).

Medium

Cyber insurance policy reviewed or obtained

SMB cyber insurance starts from ₹5,000/year in India. Covers ransomware payments, recovery costs, notification obligations.

Medium

Security posture reviewed quarterly

Revisit this checklist every 3 months. New employees, new devices, and new services create new security gaps.

Ongoing

💻

Developer / Web Application Security Checklist 2026

22 items

In most real-world testing, vulnerabilities don’t look like textbook examples — they appear as small logic flaws or overlooked edge cases.

🔒 Authentication and Access Control

Passwords stored with bcrypt or Argon2 (never MD5 or SHA-1)

Slow hashing algorithms make brute force computationally expensive. MD5-hashed passwords from breaches are cracked in seconds. Hashing Guide

Critical

MFA available and encouraged for all user accounts

Implement TOTP (RFC 6238) or WebAuthn/FIDO2 passkey support. SMS OTP is the minimum — prefer authenticator app or hardware key. MFA Implementation Guide

Critical

Broken Object Level Authorisation (BOLA) tested on all API endpoints

Every API endpoint that returns or modifies data checks that the requesting user owns or has permission to access that specific object. API Security Guide

Critical

Broken Function Level Authorisation tested

Admin functions are not accessible to regular users — even if the URL is known. Test by accessing admin endpoints with a standard user token. OWASP A01 Guide

Critical

Session tokens are random, long, and invalidated on logout

Sessions use cryptographically random tokens (min 128 bits). Old tokens invalidated after logout and after password change. No session fixation vulnerabilities.

High

💉 Injection Prevention

All database queries use parameterised statements / prepared statements

Zero SQL queries constructed by concatenating user input. Every database interaction uses parameterised queries. SQL Injection Guide

Critical

All user-supplied input is validated and sanitised

Validate type, length, format, and range. Sanitise for the appropriate output context (HTML, SQL, OS commands, LDAP). Context-aware output encoding prevents XSS. XSS Prevention Guide

Critical

CSRF tokens implemented on all state-changing forms

Every form that changes data (password change, profile update, delete, purchase) uses CSRF tokens or SameSite cookie attribute. CSRF Prevention Guide

High

🔐 Encryption and Secrets

TLS 1.3 (minimum TLS 1.2) enforced — HTTP redirects to HTTPS

All traffic encrypted. TLS 1.0 and 1.1 disabled. HSTS header enabled to prevent SSL stripping. TLS/HTTPS Guide

Critical

No secrets, API keys, or credentials in source code or Git history

Use environment variables and secrets managers (AWS Secrets Manager, HashiCorp Vault). Run secret scanning on all commits. API keys in Git are found by automated bots within minutes. API Key Security Guide

Critical

Sensitive data encrypted at rest in databases

PII, payment data, health data encrypted at rest using AES-256. Keys managed through KMS, not hardcoded. Encryption Guide

High

🛡️ Security Headers and Configuration

Security headers implemented (CSP, X-Frame-Options, HSTS, etc.)

Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, HSTS. Test with securityheaders.com. Misconfiguration Guide

High

Default credentials and debug settings removed from production

No admin/admin, no debug mode enabled, no default database passwords, no verbose error messages exposing stack traces. Security Misconfiguration Guide

Critical

Directory traversal protections in place for file operations

File path inputs validated and normalised. Application cannot be tricked into reading files outside intended directories. Directory Traversal Guide

High

Rate limiting on authentication and sensitive API endpoints

Login attempts rate limited to prevent brute force. API endpoints rate limited to prevent DDoS and enumeration attacks. API Rate Limiting Guide

High

🔍 Testing and Monitoring

OWASP Top 10 tested before each major release

Use OWASP ZAP or Burp Suite for automated scanning. Manually test business logic vulnerabilities that scanners miss. OWASP Top 10 Guide

High

Application and access logs collected and monitored

Authentication events, access control failures, and unusual API activity logged and monitored. Logs stored separately from the application to prevent tampering. Logging Guide (Cloud)

High

Dependencies scanned for known vulnerabilities

npm audit, pip-audit, or Snyk in CI/CD pipeline. Critical vulnerabilities in dependencies block deployment. Supply chain attacks exploit outdated dependencies.

Ongoing

Penetration test conducted annually on production

Annual professional penetration test or participation in bug bounty programme. External perspective finds vulnerabilities internal testing misses. Penetration Testing Guide

Ongoing

How to interpret your checklist completion

0–40% High Risk — Address Critical items immediately. Automated attacks will find these gaps.

40–75% Moderate Risk — Good progress. Remaining High items represent meaningful exposure.

75–100% Strong Posture — Above average. Focus on Ongoing items and quarterly reviews.

About the Author

Amardeep Maroli

MCA student and cybersecurity enthusiast from Kerala, India. I write practical cybersecurity guides for real-world protection — covering API security, ethical hacking, and security fundamentals that everyone can apply.

All Posts GitHub Telegram Contact

Cybersecurity Checklist FAQs

How often should I go through these checklists?

Personal checklist: review the Critical and High items monthly — account compromises and breach notifications require fast response. The full checklist quarterly. Business checklist: Critical items monthly, full checklist quarterly, and additionally whenever you hire new staff, purchase new devices, or deploy new software. Developer checklist: review before each major release and fully quarterly. New dependencies, new integrations, and new deployments create new attack surfaces that weren't present at the last review.

What should I tackle first if I'm starting from zero?

In strict priority order, regardless of which checklist you are using: (1) Enable MFA on your email accounts — this is the single most impactful action available, takes 10 minutes, and is free. (2) Set up a password manager and migrate your most important accounts (email, banking) to unique passwords. (3) Enable automatic updates on all devices. These three actions stop the vast majority of automated attacks that target individuals and small businesses. Once those are done, work through the remaining Critical items, then High, then Medium. Do not let the full checklist intimidate you into doing nothing — doing the top three items today is infinitely better than planning to do all twenty later.

As a developer, what is the single most impactful security change I can make to existing code?

If you have existing code with database queries, audit every single one for SQL injection. Change any query that concatenates user input directly into SQL to use parameterised queries / prepared statements. This is the most critical, most commonly found, and most directly exploitable web application vulnerability. The fix is straightforward (parameterised queries are a few lines of code change per query), the impact is high (SQL injection enables full database extraction), and it is something an automated scanner will find and any pentester will test for. After that: verify your password hashing algorithm. If you are storing passwords with MD5 or SHA-1, migrate to bcrypt or Argon2 immediately — it is a one-time code change with significant security impact.

Is there a simple way to test my website's security headers?

Yes — visit securityheaders.com and enter your website URL. The tool analyses your HTTP response headers and gives you a letter grade (A+ to F) with specific recommendations for each missing or misconfigured header. This is free, takes seconds, and clearly shows exactly which headers to add. Similarly, SSL Labs (ssllabs.com/ssltest) tests your TLS configuration and grades it — showing if you have old TLS versions enabled, weak cipher suites, or certificate issues. Running both tests takes under 5 minutes and gives you a clear list of security header improvements to implement. Both tools are free and require no account.

If you complete even the Critical items in this checklist, you’ll already be more secure than most individuals and small businesses today.

Search This Blog

TechWithAmardeep