Enterprise cybersecurity hygiene checklist for 2025

Standard cybersecurity hygiene checklist

The following practices should be woven into any cybersecurity hygiene checklist:

• Patch, patch, patch. Keep company-owned devices patched and up to date with the latest software versions. Unpatched vulnerabilities are an especially inviting entry point for cybercriminals. A survey published by Sophos in 2024 found that 32% of ransomware attacks began with exactly that kind of vulnerability.
• Have a strong identity and access management program that does the following:
• Requires strong passwords.
• Uses multifactor authentication.
• Prohibits credential reuse.
• Offers biometrics use.
• Employs the principle of least privilege.
• Don't share credentials.
• Don't use public Wi-Fi.
• Segment networks.
• Manage and secure endpoints.
• Install antimalware and firewalls.
• Encrypt drives and devices by default.
• Perform regular data backups.
• Conduct and participate in security awareness training.
• Avoid social engineering scams.
• Perform asset discovery, inventory and management.
• Create, implement and maintain enterprise security policies.

Special considerations: Bring your own home cybersecurity hygiene

In a new era of remote and hybrid work, organizations have had to grapple with how to keep corporate assets safe -- whether employees are working in the office or from home.

To avoid common remote and hybrid employee security issues, follow these security best practices:

• VPNs everywhere. Most enterprises have a VPN enabled by default for access to the corporate network. But, even in the absence of that, employees would do well to install a VPN client that enables encrypted connections to strengthen public Wi-Fi or poorly secured home connections. Companies should also be aware of VPNs that don't work in certain geographies. TunnelBear, for example, stopped doing business in India in 2022 and is no longer available in India because the company declined to comply with new government regulations. To further strengthen access controls, companies should consider adopting the zero-trust model.
• Patch, patch, patch. Patching and updating company-owned devices have already been mentioned, but it's also critical end users understand the importance of patching their own devices -- especially as more and more workers use their own devices for work purposes. The patching of hidden devices, such as a smart microwave or thermostat, should also be periodically reviewed as smart home devices could be the source of lateral compromise on an enterprise.

Special considerations: Cloud cybersecurity hygiene

While cloud computing helps improve productivity, accessibility and scalability, risks from a security perspective inevitably follow.

To keep employees and employers safe in the cloud, follow these key cloud cybersecurity hygiene best practices:

• Create a cloud usage and security policy. Spell out the dos and don'ts of what is accepted cloud use and what is not. For instance, an enterprise might use Microsoft's OneDrive for document sharing, but certain users might prefer services from Google Drive or Box. Admins should acknowledge the importance of user preference but take a stance on cloud app use that aligns with the organization's risk-based security strategy. They should also provide short, engaging training on how to use the cloud for secure data sharing.
• Be mindful when giving document and shared folder access rights to co-workers, partners, etc.
• Revoke and delete permissions where appropriate and when disengagement happens -- for example, at project conclusion or employee resignation. When user provisioning and deprovisioning aren't handled carefully, an organization creates the types of overprivileged and orphaned user identities that cybercriminals so often exploit.
• Be mindful of account cross-pollination. Consider, for example, how many Google accounts many employees likely have. Making sure each uses the correct Google Drive account -- one for work purposes -- is critical to data security. Likewise, don't use a work Dropbox account to share family photos.
• Exercise privacy and confidentiality rights. While not top of mind for most individuals, these are top priorities for corporations. Legislation, such as GDPR and CCPA, call out specific privacy rights. For example, it is critical to ensure digital trails are obliterated when SaaS applications are no longer in use or to conduct periodic reviews of data collected by enterprise SaaS applications. These tasks require training and innovative incentives, such as security gamification, to raise awareness among employees.
• Include cloud security in enterprise security awareness training sessions. If a public data store breach occurs, use it as an example to drive home the message of how it could have been avoided.

Ashwin Krishnan is the host and producer of StandOutIn90Sec, based in California. where he interviews tech leaders, employees and event speakers in short, high-impact conversations.