A dual-audience checklist covering the technical controls that tools like the Digital Trust Mark test — and the business-level controls they do not. Use it to assess where you stand and prioritise what to fix first.
Just earned your Digital Trust Mark? The mark verifies your technical configuration — HTTPS, TLS, email authentication, and security headers. This checklist picks up where it leaves off, covering the staff, device, backup, and governance controls that automated tools cannot assess. Read our full explainer →
These are the controls that automated tools like the Digital Trust Mark assess. They are configuration tasks — most can be completed without specialist expertise and have an immediate impact on your security posture.
Prevent attackers from sending emails that appear to come from your domain
Tells receiving mail servers which servers are authorised to send email on your behalf. Use -all (hard fail) for maximum protection.
Read our guideDigitally signs every outgoing email so recipients can verify it genuinely came from your domain and has not been tampered with.
Read our guideTells receiving servers what to do with emails that fail SPF or DKIM checks. Start with p=quarantine, then move to p=reject after monitoring.
Read our guideDMARC rua reports show you who is sending email using your domain — including attackers. Review monthly to catch spoofing attempts.
Protect your domain from hijacking, spoofing, and fraudulent certificates
Restricts which Certificate Authorities can issue SSL certificates for your domain. Prevents unauthorised certificate issuance.
Read our guideAdds cryptographic authentication to DNS responses, preventing DNS cache poisoning attacks that redirect your domain to malicious sites.
Read our guideYour domain registrar account is a high-value target. A compromised registrar account can redirect your entire domain. Enable MFA immediately.
An expired domain can be registered by an attacker within minutes of expiry. Enable auto-renewal and ensure payment details are current.
Ensure all data between your website and visitors is encrypted
Every page on your site must be served over HTTPS. HTTP pages are marked 'Not Secure' by browsers and transmit data in plaintext.
Any visitor who types http:// should be automatically redirected to https://. This should return a 301 permanent redirect.
TLS 1.0 and 1.1 are deprecated and vulnerable. Your server should only accept TLS 1.2 and 1.3 connections.
Your SSL certificate must be issued by a trusted Certificate Authority and must not be expired. Let's Encrypt auto-renews every 90 days.
Instruct browsers to apply additional protections when loading your site
Strict-Transport-Security: max-age=31536000; includeSubDomains — instructs browsers to always use HTTPS, preventing SSL stripping attacks.
Prevents browsers from MIME-sniffing a response away from the declared content type, blocking a class of content injection attacks.
Prevents your site from being embedded in an iframe on another domain, blocking clickjacking attacks.
Controls how much referrer information is included with requests. strict-origin-when-cross-origin is the recommended setting.
Specifies which sources of scripts, styles, and other resources are permitted to load on your pages. The primary defence against XSS attacks.
Not sure where to start?
Download The Irish SME Cyber Survival Guide — 10 controls based on NCSC Ireland & ENISA guidance. Plain English, no jargon.
These controls address the risks that technical configuration cannot prevent — phishing, ransomware, insider threats, and regulatory non-compliance. According to Amárach research for .IE, phishing accounts for 60% of Irish cyber incidents. None of these risks appear in an automated website scan.
The controls that protect against phishing — the cause of 60% of Irish cyber incidents
Multi-factor authentication on email is the single most impactful security control for Irish SMEs. A stolen password alone is not enough to access the account.
Read our guideMicrosoft 365, Google Workspace, accounting software, CRM — every business application with sensitive data should require MFA.
Phishing accounts for 60% of Irish cyber incidents. Staff who can recognise suspicious emails and know the reporting process are your most effective defence.
Read our guideSimulated phishing exercises measure your team's real-world resilience and identify who needs additional training before an attacker does.
Former employees with active accounts are a significant insider threat risk. Establish a process to disable accounts immediately on departure.
Staff should have access only to the systems and data they need for their role. Admin rights should be granted sparingly and reviewed regularly.
Patching and endpoint protection — the controls that stop ransomware
Exploitation of system weaknesses accounts for 21.3% of Irish cyber incidents. Unpatched systems are the most common entry point for ransomware.
This includes your CMS (WordPress, etc.), plugins, accounting software, and any other business applications. Outdated plugins are a primary attack vector.
All company-owned devices should have up-to-date endpoint protection. Modern EDR solutions detect behavioural threats that traditional antivirus misses.
If staff access business data on mobile devices, an MDM policy ensures those devices can be wiped remotely if lost or stolen.
The controls that determine whether you survive a ransomware attack
Backups should run at least daily for critical data. The 3-2-1 rule: 3 copies, on 2 different media types, with 1 offsite or in the cloud.
An untested backup is not a backup. Restore a sample of data from backup at least quarterly to verify the process works before you need it.
Ransomware will encrypt any backup it can reach. Backups must be stored offline or in a separate cloud account that is not connected to your main environment.
How long can your business operate without its systems? Knowing your RTO determines how much backup infrastructure you need and informs your incident response plan.
The organisational controls that NIS2 and regulators will look for
What do you do in the first hour of a ransomware attack? Who do you call? A tested incident response plan reduces response time and limits damage.
Read our guideIf your business operates in a regulated sector or the supply chain of a regulated organisation, NIS2 may apply. Penalties reach €10m or 2% of global turnover.
Cyber insurance covers incident response costs, ransomware payments, legal fees, and business interruption. Review annually to ensure coverage matches your risk profile.
Read our guideYour suppliers with access to your systems or data are an extension of your attack surface. Review their security posture before granting access.
| Control Area | Digital Trust Mark | This Checklist | vCISO Engagement |
|---|---|---|---|
| HTTPS & TLS configuration | |||
| Email authentication (SPF, DKIM, DMARC) | |||
| HTTP security headers | |||
| DNS & domain security | |||
| Multi-factor authentication | |||
| Staff phishing awareness | |||
| Patch management | |||
| Backup & recovery testing | |||
| Incident response planning | |||
| NIS2 compliance assessment | |||
| Supply chain risk management | |||
| Security roadmap & governance |
Working through a checklist is a good start. A structured security review gives you a clear picture of where you stand across all these areas — and a prioritised, practical plan for what to fix first, based on your specific business context and risk profile.
Book a Free Strategy Call20 minutes · No jargon · We work with Irish SMEs across all sectors
We use cookies and tracking technologies (including Google Analytics, HubSpot, and Metricool) to enhance your experience, analyze site traffic, and measure social media effectiveness. By clicking "Accept All," you consent to our use of cookies. You can manage your preferences in our cookie policy.
