One small step a day

Today's tip

The same tip shows for everyone each day, then rotates — handy when your team compares notes. Browse the full library below.

• Email security

  Raise DMARC to quarantine, then reject

  If your domain is at p=none you're publishing telemetry but not protection. Move to p=quarantine first (spam folder for spoofs), then p=reject once your weekly reports look clean.

  Review your DMARC →
• Email security

  Audit mailbox auto-forward rules

  External-forwarding rules are the #1 persistence trick after an account compromise. M365 lets you block auto-forward to outside addresses tenant-wide — turn it on if you haven't.

  Check M365 settings →
• Email security

  Publish an SPF record today

  No SPF record means anyone can send mail as your domain and the receiving server has nothing to check it against. It's a single DNS TXT record — the highest-leverage 10 minutes in email security.

  Build your SPF record →
• Email security

  Turn on DKIM signing

  DKIM cryptographically signs your outbound mail so receivers can prove it wasn't tampered with in transit. Most providers enable it with one toggle plus a CNAME — do it before raising DMARC to reject.

  Validate DKIM →
• Email security

  Enforce TLS on inbound mail with MTA-STS

  Without MTA-STS, mail to your domain can be silently downgraded to plaintext and intercepted. Publishing a policy tells sending servers to require TLS — a static file plus one DNS record.

  Check email posture →

• Auth & access

  Enforce MFA on every admin

  An admin account without MFA is the single largest source of cloud breaches. If even one of your M365 / Google admins doesn't have it, fix that first — before anything else on this list.

  Check MFA coverage →
• Auth & access

  Switch admins to passkeys

  Passwords + TOTP is fine; passkeys (Touch ID / Windows Hello) are phishing-resistant. Once your team is comfortable, deprecate password+TOTP for everyone with admin access.

  Enroll a passkey →
• Auth & access

  Kill reused passwords with a manager

  One reused password turns a breach at any vendor into a breach of your business. Roll out a password manager to the whole team this week — shared vaults end the spreadsheet-of-logins era.

• Auth & access

  Right-size who has admin

  Every extra global admin is another phishable key to the whole tenant. Review your admin list and downgrade anyone who doesn't need it day-to-day — most orgs need two or three, not ten.

  Review coverage →

• Monitoring

  Verify your domains before monitoring

  Domain verification is the difference between 'I added this' and 'I own this.' Resolute requires it before phishing simulation or external monitoring — and it's a 60-second DNS record.

  Verify a domain →
• Monitoring

  Treat finding SLAs like a fire drill

  Resolute's SLA defaults — critical 7d / high 30d / medium 90d — are conservative. If yours regularly breach, the issue is staffing, not the SLA. Be honest in your post-mortem.

  Review findings →
• Monitoring

  Scan your site's response headers

  Missing HSTS, CSP, and frame-protection headers are free wins attackers love to find absent. Run a scan on your marketing site and your app — the report hands you the exact header block to paste.

  Scan security headers →
• Monitoring

  Set a monthly patch day

  Unpatched browsers, laptops, and routers are how most opportunistic intrusions start. Block one recurring hour a month to apply OS, browser, and firmware updates across every device.

• Monitoring

  Block legacy auth in Microsoft 365

  Legacy protocols like IMAP and POP bypass MFA entirely — they're the back door behind your front-door MFA. A Conditional Access policy to block them shuts down most password-spray attacks.

  Check M365 coverage →
• Monitoring

  Lock and auto-renew your domain

  A lapsed or hijacked domain takes down email and website at once and is brutal to recover. Turn on auto-renew, enable registrar lock, and add a calendar reminder a month before expiry.

  Manage domains →

• Vendor risk

  Re-attest your top vendors annually

  SOC 2 reports go stale; security postures change. Re-issue questionnaires to your top-5 vendors yearly so your portfolio reflects today's risk, not last year's.

  Review vendors →
• Vendor risk

  Revoke stale OAuth grants

  Tenant-wide OAuth grants that haven't been used in 90+ days are attack surface, not utility. Five minutes in Entra → Enterprise apps removes ones you don't need.

  See stale grants →
• Vendor risk

  List every tool with your data

  You can't assess vendor risk you haven't written down. Spend 20 minutes listing every SaaS app that touches customer data or email — the shadow-IT ones are usually the surprise.

  Discover vendors →
• Vendor risk

  Answer security questionnaires once

  Re-typing the same questionnaire for every prospect burns days a quarter. Maintain a reusable answer library so sales can self-serve, and your answers stay consistent across deals.

  Open your vendor responses →

• Incident readiness

  Two-person rule for wires above $X

  BEC fraud almost always succeeds because one person can authorize the wire alone. Pick a dollar threshold, document a two-person verification step, and enforce it in your accounting system.

  See the wire-fraud playbook →
• Incident readiness

  Restore a backup this quarter

  You don't have a backup until you've tested a restore. Pick one critical system, restore a copy to a sandbox, document the steps + time. Insurance underwriters love seeing this proof.

• Incident readiness

  Print your IR playbooks

  When your laptop is encrypted, you won't be reading this. Print the top 3 playbooks for your business (likely: phishing, wire fraud, ransomware) and keep them somewhere physically accessible.

  Open IR playbooks →
• Incident readiness

  Write a 24-hour offboarding checklist

  A departed employee with live access is a standing risk and an audit finding. Document the exact accounts to disable, and commit to revoking everything within 24 hours of a departure.

  Review access coverage →

• Compliance

  Publish a trust page

  Stop emailing PDFs to every prospect. A public trust page with your SOC 2 status, DPA, and policies converts the security-review email thread into a self-serve URL.

  Set up trust page →
• Compliance

  Owners + review dates on every policy

  An unowned policy is a policy nobody reads. Pick an owner (a person, not a team) and an annual review date for each policy in your library. Auditors check this within the first 10 minutes.

  Review policies →
• Compliance

  Start a one-page risk register

  Auditors and insurers both ask 'show me your risks.' Even a five-row register — risk, likelihood, impact, owner, mitigation — beats nothing and forces the conversation you've been postponing.

  Open the risk register →
• Compliance

  Read your cyber policy's fine print

  Many claims are denied because the insured didn't have MFA or backups they attested to. Pull your policy, find the security warranties, and confirm you actually meet every one before you need to file.

  Review attestation →

• Awareness training

  Run a phishing simulation this month

  Quarterly is the minimum; monthly is better. Even a 10-person team benefits — and the click-rate trend over 3 simulations is what your insurance carrier wants to see.

  Launch a campaign →
• Awareness training

  Give staff a one-click 'Report phish' button

  If reporting a suspicious email is hard, people just delete it — and you lose the early warning. Add the report button to Outlook/Gmail so one click routes it to you instead of the trash.

  Set up training →
• Awareness training

  Make security part of onboarding

  New hires are most phishable in week one, before they know how you communicate. Add a 15-minute security walkthrough — MFA setup, how to spot a lure, who to ask — to your onboarding flow.

  Browse training →