Agency Cybersecurity & Data Protection Checklist

Require 2FA for email, project management, client portals, financial tools, and cloud storage. No exceptions.

Adopt a team password manager (1Password, LastPass Business, etc.). Eliminate shared spreadsheets and sticky notes.

Give people only the access they need. Review and adjust when roles change.

When someone leaves, immediately revoke access to all tools, email, and client accounts. Automate where possible.

Review who has access to what. Remove inactive accounts. Verify permissions are still appropriate.

Ensure all tools use HTTPS. Enable disk encryption on all company devices (FileVault, BitLocker).

Back up project files, client data, and financial records. Test restoration regularly.

Define what's public, internal, confidential, and restricted. Handle each category differently.

Enable remote wipe capability. Require screen lock after inactivity. Install endpoint protection.

Use your client portal or encrypted file sharing. Avoid sending sensitive files via unencrypted email.

Never store client passwords in documents, emails, or chat. Use your password manager's secure sharing.

Ensure team members can only access the client accounts they work on. Prevent cross-contamination.

How long do you keep client data after the engagement ends? Document and communicate your policy.

Address data handling, confidentiality, breach notification, and liability in your agreements.

Review who accessed what client data and when. Investigate anomalies. Maintain audit logs.

Document steps for identifying, containing, and recovering from security incidents. Assign roles.

Who gets called first? What's the chain of command? Include after-hours contacts.

Know your legal obligations for breach notification. Prepare template communications in advance.

Run through scenarios: stolen laptop, phishing attack, data breach. Practice before you need it.

After an incident or exercise, record what worked and what didn't. Update the plan accordingly.

Determine which data privacy laws apply based on your location and your clients' locations.

Your website privacy policy should reflect actual data practices. Review and update at least annually.

If you process personal data for clients, formalize the arrangement with a DPA as required by GDPR.

Ensure your SaaS tools comply with applicable regulations. Check their DPAs and security certifications.

Document what personal data you process, why, where it's stored, and who has access. Required by GDPR.

Cover phishing recognition, password hygiene, safe browsing, and social engineering. Train new hires on day one.

Test employees with simulated phishing emails. Provide additional training for those who fall for it.

Define what's allowed on company devices. Cover personal use, public Wi-Fi, and software installation.

How to share credentials safely, handle sensitive information, and what to do if they suspect a breach.

Security threats evolve constantly. Annual refresher training keeps awareness high and reduces risk.