Account Security Checklist
Most breaches start with a compromised account. This checklist covers the controls that matter most for protecting the accounts your business depends on.
Account Security
Checklist
Most breaches start with a compromised account. This checklist covers the controls that matter most for protecting the accounts your business depends on.
How to Use This Checklist
Work through each section with your IT provider or security team. Tick items that are confirmed in place and verified, not just assumed. Anything unticked is a gap. Prioritise gaps in Section 1 first.
1
Multi-Factor Authentication
MFA is the single most effective control for preventing unauthorised account access. Every unticked item in this section is a meaningful gap.
MFA is enforced on Microsoft 365 for all users, with no exceptions
MFA is enforced on all email access, including mobile devices
MFA is enforced on all remote access to business systems (VPN, remote desktop, RMM tools)
MFA is enforced on all cloud services (accounting software, practice management, document storage)
MFA is enforced on all privileged and admin accounts
Legacy authentication protocols are blocked in Microsoft 365 (basic auth, IMAP, POP3)
Phishing-resistant MFA (hardware security keys or certificate-based) is used for the highest-risk accounts
MFA bypass or exclusion policies have been reviewed and minimised
Staff have been briefed on MFA fatigue attacks (repeated push notifications to pressure approval)
A password manager is in use across the organisation for business accounts
Unique passwords are required for every business account (no password reuse)
Default passwords have been changed on all systems, devices, and applications
There is a process for revoking credentials immediately when a staff member leaves
Shared or generic account passwords are changed when any person with knowledge of them leaves
Credentials are never stored in spreadsheets, sticky notes, browser saved passwords on shared devices, or unencrypted documents
Staff know not to reuse business passwords for personal accounts
Your organisation's email domain has been checked against known credential breach databases (e.g. Have I Been Pwned)
3
Privileged and Admin Accounts
Admin accounts are separate from day-to-day user accounts
The list of accounts with admin or privileged access has been reviewed in the last 6 months
Staff are not operating with admin rights for routine daily tasks
Domain admin accounts are used only for tasks that require domain admin access
Service accounts have the minimum permissions required and are reviewed regularly
Privileged account credentials are stored in a privileged access management (PAM) tool, not a shared spreadsheet
There is a Break Glass account for emergency access that is separately secured and its use is logged and alerted
Conditional access policies are in place and enforced
Sign-in is restricted to managed, compliant devices where possible
Sign-ins from unexpected geographic locations trigger alerts or are blocked
Microsoft Secure Score has been reviewed and remediation is in progress
Unified audit logging is enabled and retained for a minimum of 90 days
Mailbox auditing is enabled for all users
External email forwarding is disabled or restricted by policy
Auto-forwarding rules are monitored for unexpected configurations
The Global Administrator role has fewer than 5 accounts assigned and all are cloud-only accounts with MFA
Emergency access (Break Glass) accounts exist and are tested at least annually
5
Email Security
Email is the primary initial access vector for most attacks targeting Australian businesses.
SPF, DKIM, and DMARC records are configured correctly for your domain
DMARC is set to at minimum quarantine policy (p=quarantine or p=reject)
External email is tagged to indicate it did not originate inside your organisation
Impersonation protection is configured for key personnel (CEO, finance, principals)
Attachment scanning and safe links are enabled
Staff are trained to verify payment redirection requests or changes to bank details via a separate communication channel, not by replying to the email
6
Device and Session Security
All devices accessing business data have endpoint protection (EDR) installed and active
Devices are encrypted (BitLocker for Windows, FileVault for Mac)
Screen lock activates after a short idle period on all devices
Lost or stolen devices can be remotely wiped
Personal devices accessing business email or data are enrolled in mobile device management
Session timeouts are configured for web-based business applications
Staff know to sign out of business accounts on shared or personal devices after use
Browser extensions are reviewed periodically. Malicious extensions are a common credential theft vector.
7
Offboarding and Access Review
There is a documented offboarding process that includes immediate account suspension on departure
All accounts (Microsoft 365, line-of-business applications, shared accounts) are included in the offboarding checklist
Access rights are reviewed across all staff at least annually, not just at onboarding
Contractor and third-party access is time-limited and revoked on completion of the engagement
Service desk staff are trained to verify identity before making account changes (social engineering via helpdesk is a common attack vector)
Signs an Account May Be Compromised
Report any of the following to your IT or security provider immediately:
Login alerts from unexpected locations or devices
MFA prompts you did not initiate
Emails sent from your account that you did not write
Contacts reporting unusual communications from you
Password changed without your action
Files accessed or modified at unusual times
Unfamiliar inbox rules, forwarding rules, or calendar sharing
When in doubt, report it. The cost of investigating a false alarm is zero compared to the cost of missing a real one.
Need help locking down your accounts?
Stealth Cyber provides managed detection and response and security assessments for Australian professional services firms. Get in touch for a straight conversation about your account security posture.
Email
contact@stealthcyber.io
Phone
AU: +61 7 5230 8381
US: +1 (855) 774-2595
Offices
Gold Coast, Australia
São Paulo, Brazil
Texas, United States
© 2026 Stealth Cyber Pty Ltd. ABN 72 675 840 632. All rights reserved.