Cybersecurity Checklist 2026 — 20 Things to Do Right Now
Your 2026 Cybersecurity Checklist
Cybersecurity does not require a computer science degree. The 20 steps in this checklist are practical, actionable, and ordered by impact. Most take less than 30 minutes to complete. Together, they dramatically reduce your risk of being hacked, scammed, or having your identity stolen.
We have grouped these steps into five categories: Account Security, Device Security, Network Security, Privacy, and Advanced measures. Start with Account Security — it addresses the most common attack vectors — and work your way through as time permits.
---
Account Security (Steps 1-4)
1. Install a Password Manager
Difficulty: Easy | Time: 15 minutes | Impact: Critical
A password manager is the single most impactful security tool you can adopt. It generates unique, complex passwords for every account and remembers them for you. You only need to memorize one master password.
What to do: - Choose a password manager: NordPass (easiest), Bitwarden (free, open source), or 1Password (most features) - Install the browser extension and mobile app - Import your existing passwords from your browser - Start replacing reused and weak passwords (the password manager will flag them) - Create a strong master password using a passphrase (4-6 random words, 14+ characters)
Without a password manager, you are almost certainly reusing passwords — and a single breach on any site exposes every account sharing that password.
2. Enable Two-Factor Authentication (2FA) Everywhere
Difficulty: Easy | Time: 30-60 minutes | Impact: Critical
Two-factor authentication adds a second verification step beyond your password. Even if an attacker knows your password, they cannot access your account without the second factor.
What to do: - Enable 2FA on your email accounts first (email is the gateway to all other account recoveries) - Enable 2FA on financial accounts (banking, investment, PayPal) - Enable 2FA on social media (Facebook, Instagram, X, LinkedIn) - Use an authenticator app (Google Authenticator, Authy, or your password manager's built-in TOTP) instead of SMS codes - Store backup codes in your password manager
Why not SMS? SMS-based 2FA is vulnerable to SIM swapping attacks where an attacker convinces your carrier to transfer your number to their device. Authenticator apps are immune to this.
3. Check Have I Been Pwned
Difficulty: Easy | Time: 5 minutes | Impact: High
Visit haveibeenpwned.com and enter your email address(es). This free service checks whether your email appears in known data breaches and tells you which breaches exposed your data.
What to do: - Check every email address you use - If breached, change the password for the affected service immediately - If you reused that password anywhere else, change it everywhere (your password manager makes this fast) - Sign up for breach notifications so you are alerted to future breaches
4. Delete Unused Accounts
Difficulty: Easy-Medium | Time: 1-2 hours | Impact: Medium
Every online account is a potential breach vector. Services you signed up for years ago and forgot about still hold your data — and may have weaker security than your current accounts.
What to do: - Review your password manager or browser's saved passwords for old accounts - Check your email for old registration confirmations - Use JustDeleteMe (justdeleteme.xyz) to find account deletion instructions for various services - Delete accounts you no longer use - For services that will not let you delete, change the email to an alias and randomize the password
---
Device Security (Steps 5-8)
5. Update Everything — OS, Apps, Firmware
Difficulty: Easy | Time: 30 minutes | Impact: Critical
Software updates patch security vulnerabilities that attackers actively exploit. The WannaCry ransomware attack that crippled hospitals worldwide exploited a Windows vulnerability that had been patched months earlier — victims simply had not updated.
What to do: - Enable automatic updates on Windows, macOS, iOS, and Android - Update your browser (Chrome, Firefox, Safari, Edge) — they are the most common attack vector - Update your router firmware (log into your router's admin panel to check) - Update smart home devices (cameras, speakers, thermostats) - Do not postpone update notifications — install them within 24 hours
6. Enable Full-Disk Encryption
Difficulty: Easy | Time: 10 minutes | Impact: High
If your laptop or phone is lost or stolen, full-disk encryption prevents anyone from accessing your data without your password.
What to do: - Windows: Enable BitLocker (Settings → Privacy & Security → Device Encryption). Requires Windows Pro or Enterprise - macOS: Enable FileVault (System Settings → Privacy & Security → FileVault) - iPhone/Android: Enabled by default on modern devices with a screen lock set. Verify in settings - External drives: Encrypt USB drives and external hard drives containing sensitive data using BitLocker (Windows) or APFS encrypted (macOS)
7. Use Reputable Antivirus Software
Difficulty: Easy | Time: 15 minutes | Impact: Medium-High
Modern operating systems include decent built-in protection (Windows Defender, macOS XProtect), but dedicated antivirus software provides stronger real-time protection, especially against zero-day threats.
What to do: - Windows: Windows Defender is good baseline protection. For enhanced protection, consider Bitdefender or Norton - macOS: While Macs are less targeted, they are not immune. Consider Malwarebytes for Mac - Android: Install a reputable antivirus (Bitdefender, Norton, or the security features included with NordVPN/Surfshark) - iPhone: iOS's sandboxed architecture makes traditional antivirus unnecessary. Focus on keeping iOS updated - Run a full system scan after installation
8. Set Strong Screen Locks
Difficulty: Easy | Time: 5 minutes | Impact: Medium
A strong screen lock is your first line of defense for physical access to your device.
What to do: - Use a 6-digit PIN minimum (preferably alphanumeric passcode) on your phone - Enable biometric unlock (fingerprint/face) for convenience without sacrificing security - Set your computer to lock automatically after 5 minutes of inactivity - Set your phone to lock immediately when the screen turns off - Never use swipe patterns — they are easily observed and leave visible traces on the screen
---
Network Security (Steps 9-12)
9. Use a VPN on Public WiFi
Difficulty: Easy | Time: 10 minutes | Impact: High
Public WiFi networks (cafes, airports, hotels) are hunting grounds for attackers. Without encryption, anyone on the same network can intercept your traffic — passwords, emails, financial data, everything.
What to do: - Install NordVPN or Surfshark on all your devices - Set the VPN to auto-connect on untrusted WiFi networks - Enable the kill switch so traffic is blocked if the VPN drops - If you cannot use a VPN, avoid accessing sensitive accounts (banking, email) on public WiFi - Turn off auto-connect to open WiFi networks in your device settings
10. Change Your Router Password
Difficulty: Easy | Time: 10 minutes | Impact: High
Most people never change their router's default admin password. Default credentials for every router model are publicly available online, giving anyone within WiFi range potential admin access to your network.
What to do: - Log into your router (typically 192.168.1.1 or 192.168.0.1 in your browser) - Change the admin password to something strong and unique (store it in your password manager) - Change the WiFi network name (SSID) to something that does not identify your router model - Change the WiFi password to a strong, unique passphrase - Disable remote administration unless you specifically need it
11. Switch to WPA3
Difficulty: Easy-Medium | Time: 15 minutes | Impact: Medium
WPA3 is the latest WiFi security standard, offering stronger encryption and protection against brute-force password attacks compared to WPA2.
What to do: - Log into your router's admin panel - Navigate to wireless security settings - Select WPA3-Personal if available, or WPA2/WPA3 transitional mode for compatibility with older devices - If your router does not support WPA3, ensure WPA2-AES is selected (never use WEP or WPA-TKIP) - If your router is old enough to lack WPA3, consider upgrading — modern routers also provide better speed and range
12. Disable WPS
Difficulty: Easy | Time: 5 minutes | Impact: Medium
WiFi Protected Setup (WPS) was designed to make connecting devices easier by pressing a button or entering a PIN. Unfortunately, the WPS PIN mechanism has a known vulnerability that allows attackers to brute-force the PIN and gain access to your WiFi network within hours.
What to do: - Log into your router's admin panel - Find WPS settings (often under Wireless or Advanced settings) - Disable WPS entirely - Connect new devices using the WiFi password instead
---
Privacy (Steps 13-16)
13. Remove Yourself from Data Brokers
Difficulty: Medium | Time: 2+ hours (manual) or 15 minutes (with a service) | Impact: High
Data brokers collect and sell your personal information — name, address, phone number, email, family members, estimated income, and more. This information is used for targeted advertising, but also by scammers, stalkers, and identity thieves.
What to do: - Option A (Automated): Sign up for MyDataRemoval, which automatically submits removal requests to hundreds of data brokers and monitors for re-listings - Option B (Manual): Search for yourself on major people-search sites (Spokeo, WhitePages, BeenVerified, Intelius) and submit opt-out requests individually - Repeat every few months — data brokers re-list you over time as they acquire new data sources
14. Opt Out of People-Search Sites
Difficulty: Medium | Time: 1-3 hours (manual) | Impact: High
People-search sites are a subset of data brokers that make your personal information freely searchable by anyone. A simple name search can reveal your address, phone number, email, family members, and sometimes financial information.
What to do: - Google your full name + city to find which sites list you - Visit each site and find their opt-out or removal page - Submit removal requests (each site has a different process, some require verification) - Common sites to check: Spokeo, WhitePages, BeenVerified, Intelius, FastPeopleSearch, TruePeopleSearch, Radaris - Or use MyDataRemoval to automate this entire process
15. Audit App Permissions
Difficulty: Easy | Time: 15 minutes | Impact: Medium
Many apps request permissions far beyond what they need. A flashlight app does not need access to your contacts, camera, and location. Excessive permissions create unnecessary data collection and potential security risks.
What to do: - iPhone: Settings → Privacy & Security → review each category (Location, Camera, Microphone, Contacts, etc.) and revoke unnecessary permissions - Android: Settings → Apps → select each app → Permissions → revoke unnecessary permissions - Pay special attention to Location, Camera, Microphone, and Contacts — the most sensitive permission categories - Delete apps you no longer use (each installed app is a potential vulnerability)
16. Tighten Social Media Privacy Settings
Difficulty: Easy | Time: 20 minutes per platform | Impact: Medium
Social media profiles are goldmines for social engineering attacks. Attackers use your publicly visible information (birthday, employer, school, family members, vacation photos) to craft convincing phishing messages or answer security questions.
What to do: - Set profiles to private (friends/followers only) - Remove your phone number and birthday from public view - Disable location tagging on posts and photos - Limit who can send you friend/connection requests - Review tagged photos and posts — remove any that reveal sensitive information - Be cautious accepting friend requests from people you do not know
---
Advanced Measures (Steps 17-20)
17. Use a Hardware Security Key
Difficulty: Medium | Time: 30 minutes | Impact: Very High
A hardware security key (YubiKey, Google Titan) is the strongest form of two-factor authentication available. Unlike authenticator apps (which can be phished with sophisticated fake login pages), hardware keys use cryptographic challenge-response that physically cannot be phished.
What to do: - Purchase two hardware security keys (one primary, one backup — store the backup securely) - Register them with your most critical accounts: Google, Microsoft, Apple, GitHub, social media - Most password managers (1Password, Bitwarden) support hardware keys for vault access - FIDO2/WebAuthn-compatible keys work with hundreds of services
18. Freeze Your Credit
Difficulty: Easy | Time: 30 minutes | Impact: Very High
A credit freeze prevents anyone (including you) from opening new credit accounts until the freeze is lifted. This is the most effective defense against new-account identity theft and is completely free.
What to do: - Freeze your credit at all three bureaus: Equifax, Experian, TransUnion - Each bureau will give you a PIN or password for unfreezing - Store these PINs in your password manager - When you need to apply for credit, temporarily unfreeze, apply, then refreeze - Freezing does not affect your credit score or existing accounts
19. Use Alias Email Addresses
Difficulty: Medium | Time: 30 minutes | Impact: Medium
Using a unique email address for each service prevents cross-site tracking and limits the damage if one service is breached.
What to do: - Use Apple's Hide My Email, Firefox Relay, or SimpleLogin to generate unique aliases - Each alias forwards to your real inbox — you receive all emails but your real address is hidden - If an alias starts receiving spam, you know exactly which service leaked or sold your data — disable that alias - Use your real email only for critical accounts (banking, government)
20. Enable Login Notifications
Difficulty: Easy | Time: 15 minutes | Impact: Medium
Login notifications alert you whenever someone accesses your account from a new device or location. This provides early warning of unauthorized access.
What to do: - Enable login notifications on email accounts (Gmail, Outlook, ProtonMail) - Enable them on financial accounts and social media - Review notifications promptly — if you see a login you did not make, change your password immediately and check for unauthorized changes - Most services show a list of active sessions — review this periodically and revoke any you do not recognize
---
Quick Reference Checklist
| # | Step | Time | Impact |
|---|---|---|---|
| 1 | Install password manager | 15 min | Critical |
| 2 | Enable 2FA everywhere | 30-60 min | Critical |
| 3 | Check Have I Been Pwned | 5 min | High |
| 4 | Delete unused accounts | 1-2 hrs | Medium |
| 5 | Update everything | 30 min | Critical |
| 6 | Enable full-disk encryption | 10 min | High |
| 7 | Install antivirus | 15 min | Medium-High |
| 8 | Set strong screen locks | 5 min | Medium |
| 9 | Use VPN on public WiFi | 10 min | High |
| 10 | Change router password | 10 min | High |
| 11 | Switch to WPA3 | 15 min | Medium |
| 12 | Disable WPS | 5 min | Medium |
| 13 | Remove from data brokers | 15 min - 2 hrs | High |
| 14 | Opt out of people-search | 1-3 hrs | High |
| 15 | Audit app permissions | 15 min | Medium |
| 16 | Tighten social media | 20 min/platform | Medium |
| 17 | Hardware security key | 30 min | Very High |
| 18 | Freeze credit | 30 min | Very High |
| 19 | Alias email addresses | 30 min | Medium |
| 20 | Login notifications | 15 min | Medium |
