Locking the Door: A Simple Cyber Hygiene Checklist for 2026

Cyber AttackCyber SecurityLocking the DoorBusiness Processes
Written By Jordan Stewart

Over the past few weeks, we’ve been talking about a simple idea: Locking the door.

It’s the same message the UK government pushed back in February, but why was that? Well, it wasn’t because cyber security suddenly became more complicated. If anything, it was the opposite: many incidents still come down to the basics being missed.

Unpatched systems.
Weak passwords.
Too much access.
No clear visibility.

It’s far from being anything groundbreaking, but still enough to cause real problems and to the tune of £14.7bn a year.

So rather than adding another opinion piece to the pile, this feels like a good moment to pause and bring it all together in a simple, practical checklist based on the fundamentals that still make the biggest difference.

The Cyber Hygiene Checklist

1. Are your systems actually up to date?

It sounds obvious, but it’s still one of the most common gaps.

Updates don’t just add features. They fix vulnerabilities that are often already known and actively exploited, which means that when patching is inconsistent, delayed, or dependent on manual processes, risk can (and does) creep in.

The question to ask yourself for this isn’t “Do we update?”; it’s “How quickly, and how consistently do we update?”

2. Do you know who has access to what?

Access tends to grow over time, with people changing roles, systems evolving, and permissions added but rarely removed. It’s something we see often when meeting businesses that don’t have proactive IT support, and they end up with:

  • Users with more access than they need

  • Old accounts that are still active

  • Privileged roles that aren’t reviewed

Good security isn’t just about strong passwords or enabling 2FA across the board (we’ll come onto this in a second!); you need to ensure the right people have the right access, and nothing more.

3. Are you relying on passwords alone?

Passwords are still everywhere, and they’re still one of the weakest points in most environments. Statistics last year showed that over 7 in 10 of Gen Z recycle passwords, meaning multi-factor authentication is no longer a “nice to have”. 

In fact, MFA (or 2FA as it’s also known) is one of the simplest ways to reduce risk across:

  • Email accounts

  • Cloud platforms

  • Remote access

  • Admin systems

If it’s not consistently enforced by now, please look at making this a priority.

4. Would you know if something was wrong?

This is where many organisations struggle.

It’s not always about preventing incidents anymore, as chances are you’ll be targeted sooner rather than later. But if one were to succeed, could you detect it early enough to limit the damage?

To do so, that means having visibility over:

  • Logins and access patterns

  • Device activity

  • System changes

  • Unusual behaviour

Without that, issues can sit unnoticed for longer than you’d expect.

5. Are your people part of your security strategy?

Technology matters. But people are still a major factor in how incidents occur, often falling for things like phishing emails, unexpected requests, and or links that look legitimate.

Most of these don’t rely on breaking systems, although their attempts are getting more and more convincing. Attackers rely on normal behaviour to slip through the cracks.

Awareness doesn’t need to be heavy-handed. But it does need to be consistent, with regular training, insight, and a people-first approach across the board.

6. Do you know what you’d do if something happened?

This is the one that often gets left until it’s needed.

Put it this way: If an account is compromised, a device is lost/stolen, or a breach is suspected, what happens next?

Who do you contact?
What gets locked down?
How quickly can you respond?

Having a clear and tested plan now, well before you need it, makes a big difference in how contained an incident becomes.

If you want a deeper look at this, we covered it in more detail here:
https://www.fifosys.com/blog/email-breach-response-what-to-do-next

Why This Still Matters

None of this is new, and ultimately, that’s the point of the campaign.

The government’s “lock the door” message wasn’t about introducing new frameworks or complex controls. We’ve already seen a whole host of those, and more often than not, it just passes people by.

What this is, though, is a reminder that many incidents still happen because the fundamentals aren’t consistently applied.

And it ties directly into the wider idea of cyber hygiene.

Small, consistent actions go a long way to reducing risk over time.

It’s Not About Perfection

It’s rare that an organisation is perfect - or can get everything right all at once. So don’t let the pursuit of perfection prevent progress.

You may not be getting everything right all at once, but you start by understanding where the gaps are, break those up into chunks, and move from there, closing them gradually.

Most organisations don’t fall short because they lack tools, but because visibility, consistency or ownership isn’t quite where it needs to be.

We’re here to help you not fall into the same trap.

Final Thought

Cyber security can sometimes feel like a moving target, with new threats, new tools, and a new headline-making breach every week, it seems.

But the reality is that a lot of risk still comes down to simple things being overlooked.

Locking the door isn’t complicated, but it only works if you actually do it.

Jordan Stewart
Next

The Five Assumptions That Lead to Breaches