Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
9 min read

A 25-Point Cybersecurity Checklist: How Does Your Organization Rate?

Subscribe
25-Point Cybersecurity Checklist

You know cybersecurity is important. You hear about ransomware and cyberattacks nearly every day. And you sense that your current cybersecurity defenses may not defend you in case the worst happens.

Yet, it can be so easy to put off improving cybersecurity. Why? Often, it’s difficult to know where you should begin.

As a way to start building a plan, use this cybersecurity checklist to find out what you already have, what’s missing, and what to fix first.

How to score each item

  • Yes: We have it, it’s configured correctly, and it’s maintained.
  • No: We don’t have it or it’s not consistently applied.
  • Not sure: We can’t prove, measure, or demonstrate it.

To organize this checklist into clear groups, we used the industry standard NIST Cybersecurity Framework 2.0 model which reflects modern best practices. These groups are:

  • Govern
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Govern

 

1. Defined cybersecurity ownership and decision-making

Unclear cybersecurity ownership exacerbates existing gaps and slows down your response when you have a cyber incident. You need a named owner (or owners) with clear responsibilities, documented cyber incident escalation paths, and required reporting to leadership.

2. Enforced cybersecurity policies

Creating policies will help you enforce cybersecurity across your organization. Policies should cover:

  • Acceptable use: Defines how employees are expected to safely and responsibly use your organization’s systems, devices, and data during their daytoday work.
  • Access control: Explains who can access which systems or information, and ensures people only have access to what they need to do their jobs.
  • Passwords: Organizations need to create a policy that enforces the use of strong passwords or passphrases and the use of multifactor authentication (MFA).
  • Vendor risk: Sets expectations for how thirdparty vendors must protect your data and systems when they provide services or access.
  • Incident response: Describes how your organization will recognize, respond to, and recover from security incidents.
  • Data handling: Establishes how sensitive information should be collected, used, shared, stored, and protected throughout its lifecycle.
  • Data backup and recovery: Defines how you back up and restore critical data when systems fail or you lose data.

3. Vendor risk assessment

Third-party vendors and contractors are often a weak link in an organization’s cybersecurity. Evaluate critical vendors and require minimum security controls such as multifactor authentication (MFA), logging, and breach notification terms.

4. Defined and measured cybersecurity baseline

As cybersecurity evolves, the mandatory baseline has shifted. You need to create a list of the minimum required cybersecurity controls to which your organization will adhere. These become non-negotiable.

 Identify

 

5. IT asset inventory

An IT asset inventory is important for cybersecurity. If you don’t know how many servers and computers you have, and where they are, then how do you know they are secure and out of unauthorized hands? This inventory should include any servers, endpoint devices, and cloud infrastructure.

6. Software and application inventory

Make sure you also inventory all your software, including software-as-a-service (SaaS). Unauthorized, neglected, or unknown software can increase your cybersecurity attack surface.

7. Data classification

It’s impractical to protect and secure all data equally. Identify high value targets such as finance, HR, customer, and other sensitive and/or confidential data so that you’re better able to prioritize its protection.

8. Cybersecurity risk assessment

A cybersecurity risk assessment identifies, analyzes, and prioritizes risks to your organization’s information systems, data, and digital operations. By identifying threats, vulnerabilities, and potential impacts, this assessment helps you understand what could go wrong, how bad it would be, and what to do about it.

Protect

 

9. Security awareness training

Despite the best cybersecurity defenses, an employee tricked by a phishing email or malicious website can allow a cyberattacker into your network. Periodic security awareness training with online videos and phishing simulations helps teach employees how to detect and avoid common cyber threats.

10. Multifactor authentication (MFA)

MFA is a method of verifying users’ identities before granting them access to a system. 99.2% of account compromise attacks can be blocked by MFA. It’s the most important item on this list—and it’s free.

11. Email security 

Basic antispam and email filtering tools make sure that most junk email—including many potential phishing email messages that could trick employees into downloading ransomware or giving away sensitive and confidential information—never gets to your employee’s inbox. But email security today goes beyond just spam filtering. Make sure you’re using the latest tools which can block AI-enhanced phishing, QR code scams, and malicious HTML attachments.

12. Software patching

Many devastating cyberattacks have been successful simply because organizations do not patch software vulnerabilities. Operating system and application vendors regularly provide software patches that shore up security vulnerabilities. Applying these patches is an essential part of a cybersecurity strategy.

13. Mobile strategy

Many employees may access your organization’s data through their smartphones, tablets, and laptops. If so, you need a mobile security strategy—whether it’s issuing work-only devices to employees or providing secure access to sensitive and confidential data if they use a personal device.

14. Web content and DNS filtering

Special tools can place restrictions on what internet content employees can access. This helps prevent them from downloading malicious files and software. You also need DNS filtering to block access to malicious websites at the domain level—so that an employee never even gets to access it.

15. Access control

Make sure you have the technical capabilities and oversight in place to give people only the level of access they need (known as the concept of “least privilege”), to identify remote users and ensure they are using organization-approved devices to connect, and to handle administrative access with extra care and thought.

16. Vulnerability management

Vulnerability management goes beyond software patching to identify a wider array of security weaknesses—from misconfigurations to zero-day threats. Where patch management only focuses on software updates, vulnerability management gives you a comprehensive view of any misconfigurations, outdated systems, and emerging threats across multiple servers, applications, and cloud services.

Detect

 

17. Endpoint detection and response (EDR)

EDR is one of the most basic tools of cybersecurity defense. It has replaced antivirus software as a baseline cybersecurity item, especially with cyber insurers and regulators. Without EDR, you will not be able to effectively fend off cyberattacks.

18. Cloud and SaaS detection and response

With more of your information living in cloud applications (such as Microsoft 365 and Google Workspace), cybercriminals are increasingly targeting these cloud accounts using stolen user credentials and other malicious logins to gain unauthorized access to your data. Cloud and SaaS detection and response tools give you visibility into suspicious activities within your cloud platforms such as risky sign-ins, abnormal file access, unauthorized sharing, and compromised accounts.

19. Dark web monitoring

The dark web allows for anonymous browsing with specialized software. Many use the dark web for illicit and illegal activity. IT professionals can monitor the dark web in case account credentials (such as administrative passwords) or stolen customer information appears on the black market.

20. 24/7 security team

It’s important that experienced IT professionals monitor your systems and provide security notifications when something seems wrong. This way, you start to proactively get ahead of security issues. Also known as managed detection and response (MDR), a 24/7 security team will proactively look for cyberthreats across your servers, computers, and network—specifically looking for threats that may have already gotten inside your systems by watching for behavior and activity that looks suspicious.

21. Security Information and Event Management (SIEM)

SIEM collects security information from different sources and identifies the most critical security alerts. For example, it can identify anomalies such as a user logging in from another country. This kind of information helps IT professionals more easily detect threats, identify suspicious activity, and investigate potential security incidents.

22. Identity management and threat detection

These tools provide real-time visibility and protection against cyberattacks that use stolen passwords or accounts. Clues include suspicious logins, employees located in unlikely places, risky sign-ins, and credential abuse.

Respond

 

23. Incident response planning

Developing a plan detailing how you respond to a cyberattack will help you react to an incident with “muscle memory”—rather like a fire drill. Your team will know exactly what to do. Your plan should clarify roles, key contacts, playbooks, and communications.

24. Security Orchestration, Automation, and Response (SOAR)

Usually teamed up with SIEM, SOAR automatically responds to common threats faster than a person—which is important in today’s fast-moving cybersecurity climate. SOAR can also alert your IT team so that they can address the issue more deeply while filtering out false alarms.

Recover

 

25. Data backup and disaster recovery

To ensure you can recover data after a successful cyberattack, your data backup and disaster recovery needs an onsite component (for quick recovery in case of a server failure or similar incident), an offsite component (in case of a severe cyberattack such as ransomware), and a testing component (to ensure that you can actually recover your data after an incident). Backups must be immutable—meaning completely separated from your systems and networks so that ransomware cannot infect them. You should also clarify your acceptable downtime and data loss.

Scoring

Here’s a high-level interpretation of what your results mean:

  • 18–25 “Yes”: You’ve got a strong foundation. Focus on fine-tuning and filling in any remaining gaps.
  • 10–17 “Yes”: You’ve got moderate risk. While you likely have some tools in place, critical gaps could easily lead to a cyber incident.
  • 0–9 “Yes”: You’re at high risk of a cybersecurity incident. Prioritize data backups, endpoint detection and response (EDR), software patching, and email security first.

If you answered “Not sure” as most of your responses, your first priority is visibility. We recommend starting with an inventory and risk assessment.

Ready for Better Cybersecurity?

Cybersecurity moves fast. Are you ahead of the cyberattackers? Many organizations also face pressure from cyber insurance companies and regulatory bodies, making these foundational cybersecurity controls more like requirements rather than “nice-to-haves.”

VC3’s approach to cybersecurity emphasizes foundational protection plus add-ons for organizations that need deeper visibility and control. If you want help turning your gaps from this checklist into a prioritized roadmap, contact us today. We’ll review your current security posture and identify your fastest risk-reduction wins.

TL;DR

Cybersecurity isn’t one tool or one project. It’s a system of controls that reduces risk across user access, email, endpoints, networks, data, and disaster recovery. This checklist helps you quickly benchmark where you’re strong, where you’re exposed, and what to prioritize next. It focuses on what most organizations need today: phishing-resistant email security and access controls, ransomware-ready backups and recovery, continuous vulnerability management, security monitoring, and clear incident response — with governance and vendor risk treated as critical requirements, not afterthoughts.
Mar 19, 2026

Kevin Howarth

Let's talk about how VC3 can help you AIM higher.