Reference
Resources
Printables for day-to-day habits, then official public sources by region—so you can go deeper without hunting across the page.
Quick print
One-tap print targets for each item. Use your browser’s print dialog or "Save as PDF".
- Small Business Cyber Basics Checklist
- Payment Change Verification Script
- First 15 Minutes After a Cyber Incident Card
- Quarterly Access Review Checklist
- New Employee / Contractor / Volunteer Access Checklist
- Critical Account Inventory
- Role-specific Action Plan
Learning materials by region
Starting points from public agencies—not endorsements, just common references used in the kit’s scenarios.
United States
Australia / general reference
Full in-page previews
Scroll through the same checklists and scripts in full before you print. Long content is easiest to read here in sections.
Small Business Cyber Basics Checklist
Accounts
- Use named accounts for each person where possible.
- Turn on MFA for important accounts.
- Review admin accounts monthly.
Payments
- Verify payment changes through a trusted contact method.
- Use a second approval step for unusual payment requests.
- Document payment-change verification details.
Devices
- Require lock screen on phones, tablets, and laptops used for work.
- Keep operating systems and apps updated.
- Report lost or stolen devices the same day.
Backups
- Back up estimates, invoices, contracts, and job photos.
- Store backups in a separate location from daily work systems.
- Test at least one restore each month.
Access
- Assign minimum access needed for each role.
- Set temporary access end dates for contractors/volunteers.
- Remove access when work ends.
Data
- Keep customer and project details in designated business tools.
- Avoid sharing sensitive data through personal chat apps.
- Review where key data lives each quarter.
Incident Response
- Keep a one-page incident contact list.
- Use LOCK steps in the first 15 minutes.
- Record timeline, actions, and who was contacted.
Website, Domain & Admin Accounts
- Use MFA and named admins for domain registrar, hosting, and website CMS.
- Review Google Business Profile and social/page admins quarterly.
- Verify recovery email/phone contacts for domain and core admin accounts.
- Document who owns domain registrar and website admin access.
- Remove former agency and contractor admin access promptly.
- Keep website plugins and platform software updated where applicable.
- Review business email admin/security settings on a quarterly schedule.
- For SPF/DKIM/DMARC configuration, ask your email or IT provider.
Regional Reporting & Resources
- Keep your region’s public cyber reporting links in your incident card.
- Assign who submits incident reports and who keeps records.
- Review trusted regional resource links quarterly.
Professional Help & Insurance Awareness (Educational)
- Document when to contact legal counsel or a qualified security professional.
- Keep insurer contact details and incident-notification steps accessible if you have coverage.
- Use this as educational preparedness only, not legal or insurance advice.
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
Payment Change Verification Script
We received a request to update payment information. Before we make any change, we verify through an existing trusted contact method. Can you confirm whether this request is legitimate?
- Never rely only on the contact details inside the suspicious message.
- Document who verified, when, and what was confirmed.
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
First 15 Minutes After a Cyber Incident Card
- L - Lock the account or device
- O - Observe what happened
- C - Contact the right help
- K - Keep records
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
Quarterly Access Review Checklist
- banking
- payroll
- accounting
- website
- social media
- cloud storage
- booking/POS/payment systems
- customer/client/donor/patient records
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
New Employee / Contractor / Volunteer Access Checklist
- create named account where possible
- assign minimum needed access
- enable MFA
- avoid shared passwords
- document access granted
- set access end date if temporary
- remove access when work ends
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
Critical Account Inventory
Use this worksheet to track high-impact admin and operational accounts.
| Account/tool name | Category | Business owner | Admin users | MFA enabled? | Recovery email/phone checked? | Backup admin? | What happens if access is lost? | Former users removed? | Notes |
|---|---|---|---|---|---|---|---|---|---|
| business email, banking/payment, payroll/accounting, website/domain, social media, Google Business Profile, cloud storage, booking/POS/e-commerce, customer/client system, other | |||||||||
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
Role-specific Action Plan
- set rules
- assign responsibility
- review access
- verify payments
- protect critical accounts
- maintain backups
- create incident contact list
Recommended output pack
- Critical Account Inventory
- Payment Change Rule
- Quarterly Access Review
- Incident Contact Sheet
- Backup Restore Reminder
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.
Business-specific checklist items
- Verify supplier banking changes through known callback numbers.
- Protect jobsite phones/tablets with lock, update, and rapid report rules.
- Review subcontractor access and remove stale file links weekly.
Educational training only—field guides for cyber basics. Not legal advice, a security audit, regulatory attestation, insurance qualification, or a guarantee of security.
Independent Human Actually project—not endorsed by any employer.