From Automotive Recycling Magazine, July/August 2025 Issue
Get your team on the same secure page, ticking one cybersecurity box at a time.
By Jeremy Heidemann
We love a good “to-do” list. At work, we use to-do lists to break down complex technology projects into manageable tasks that keep us on track – even when unexpected challenges arise. Cybersecurity has become one of those overwhelmingly complex projects for business owners. Many analyze the risks, fear the consequences, and then freeze – leading to “analysis paralysis.”
But cybersecurity is not an all-or-nothing endeavor. Small, steady steps can strengthen your defense against cyber threats. That’s why we created this checklist – to break cybersecurity into actionable decisions that protect your business. The stakes are high: cyber threats can lead to financial loss, reputational damage, and legal consequences. However, rather than another article explaining why cybersecurity is important, this playbook focuses on practical steps you can take today. Let’s dive in!
How to Use This Checklist
Each section outlines key areas of cybersecurity – email security, device protection, employee training, and incident response. Along the way, you’ll find real-world scenarios and a progress tracker so you can assess where you stand and what to prioritize next.
We receive regular updates on how different businesses have suffered cyberattacks and come to Forbin or VGM seeking recommendations on how to secure their businesses after realizing these threats are very real. In most cases, a simple checklist or process could have prevented the breach. Let’s walk through your cybersecurity journey step by step.
Prevention: Locking the Doors Before Hackers Knock
Prevention is just one part of cybersecurity, but it is vital to blocking easy attempts to gain access to your data. Cybercriminals “check the locks” on doors and windows to your data. Those doors and windows are email security, computer/device security, password security on the platforms you use, your website security, and finally, your employee education on catching a criminal trying to access your data through your employee directly.
Email Security
All employees use a secure email platform on company devices and access it using multi-factor authentication (MFA).
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Secure email platform. This isn’t just a free Gmail or Outlook account. Free email services lack advanced protection for your company against phishing, spoofing, and unauthorized access. You need an Enterprise-level email platform like Microsoft 365 or Google Workspace, which includes built-in encryption, advanced anti-phishing tools, and security settings. These settings block suspicious senders, but they don’t catch everything. You can add another layer of security with services like Barracuda ESS, Mimecast, or Microsoft Defender, which filter harmful emails, block spoofed domains, and detect malware.
∗ Company devices only. Many employees may be tempted to check personal emails or sign into personal accounts on their work-issued laptops or shared company computers.
Clicking the wrong link in a personal Gmail account can open a window for a cybercriminal to jump through and access your company platforms and secure data. Another common risk is when employees take their work laptops home and log into a company email platform from their personal computers.
This is a major security concern because home networks and personal devices lack enterprise-level security protections, making them easy targets for hackers. Because of this, it’s best to require employees to only access work email on company-issued devices that are secured, monitored, and controlled by IT.
Your IT team can even block access to personal email sites like Gmail on company networks to prevent this activity.
∗ Multi-Factor Authentication (MFA). This is the latest must-have in cybersecurity for email. Your employees should have a second layer of authentication besides their password to access company email – especially for first-time logins, password resets, or when accessing email from a new company device. Typically, this second authentication step happens through a mobile app like Microsoft Authenticator or Duo.
Why is this important? Phishing emails are getting very convincing. A common scenario is when an employee receives an email that looks like it’s from you, prompting them to click a link and sign in to what they believe is their Microsoft or Google Workspace account – but they’ve just handed their login credentials to a hacker.
If MFA is enabled, even if a cybercriminal has your employee’s password, they still can’t access the email account because they would need the second authentication factor. Since the hacker is attempting to log in from an unrecognized device, the authentication request would fail. Without MFA, the hacker could successfully log in and send malicious emails from your company account, targeting your clients, vendors, and employees.
Microsoft 365 now requires MFA by default, and it’s included in its enterprise platform. If you or one of your leaders disabled this setting for convenience, turn it back on ASAP to prevent security breaches.
Computer & Device Security
All company computers and devices have updated operating systems, secure logins, are using secure/updated browsers only, and are locked when not in use.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Updated operating systems. Windows and macOS update patch security vulnerabilities that hackers can exploit. If you don’t keep your systems updated, these vulnerabilities remain open, making them easy targets. Forbin’s team is making rounds this year to update all customer computers from Windows 10, as Microsoft has announced it will stop providing security updates to Windows 10 starting in October 2025.
This means any device still running on Windows 10 will become a security risk. Cybercriminals will be looking for these open windows.
∗ Unique logins for employees. Most businesses are moving to a unique, secure login for employees by using vendors such as Active Directory (AD) or Entra ID (formerly Azure Active Directory). Active Directory acts like a digital organizer for your company’s network, managing all employees, computers, and resources in a single location. With AD, each employee gets a unique login, ensuring that only authorized people can access sensitive information. It keeps your data secure and makes it easy to update or remove access if someone changes roles or leaves the company. AD also simplifies IT tasks like software updates and password resets, saving time and reducing errors. Entra ID offers similar benefits but is cloud-based, providing additional flexibility and scalability. It also allows secure logins from anywhere, making it ideal for remote or hybrid work environments.
It’s still vital to require your employees to lock their computers when not in use and to require each employee to log in to any shared computers using their unique login credentials.
∗ Updated browsers. Browsers like Internet Explorer, Microsoft Edge, Google Chrome, and Mozilla Firefox can become outdated and a security liability. For example, the latest version of Microsoft Edge has enhanced privacy features, including tracking prevention and Microsoft Defender SmartScreen, which detects and blocks malicious websites and downloads.
These are just some of the benefits of keeping your computers locked to one browser, and keeping that browser updated on all of your devices.
Password Security
All employees keep their unique passwords to work-related platforms/websites stored in a secure password vault and not saved and automatically deployed on any browsers.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Unique passwords. Employees should never reuse the same password across multiple accounts or share login credentials with others. For example, if a cybercriminal figures out a user’s password for one login, they will attempt to use it across thousands of other sites to see if they can gain access with those credentials – a tactic known as credential stuffing.
Once they gain access, they’ll sell those credentials on the dark web, where other cybercriminals can exploit them to gain access to your data. Instead, use a password generator to keep the passwords extremely complex and different for each website or platform. We’ve seen this scenario played out in real life when a company called us for help after their employee logged into their personal Gmail account on a company computer, clicked on a bad link, and unknowingly gave a hacker remote access to their device.
Hours later, the employee noticed their mouse moving on its own as the attacker navigated their browser, opened up PayPal’s website, and used stored password credentials to access their data. These are very real occurrences that some employees don’t even notice are happening until it’s too late.
∗ Password vaults. The next step to ensuring your employees generate unique passwords each time and keep those credentials secure is to provide them with a password vault like MyGlue, LastPass or Bitwarden. Requiring the use of a password vault will keep your employees’ credentials secure while allowing you to oversee password usage, such as shared passwords. You can also control access so termed or past employees can’t continue to access your company’s websites AND you don’t have to change all passwords when an employee is terminated. Password vaults are beautifully automated to generate strong passwords, save updated passwords, and provide your credentials to you when you need them by remembering just one password with MFA as a second layer of security.
∗ Avoiding saving passwords to browsers. The final step in securing your employees’ passwords is to remove saved passwords from web browsers, such as Google Chrome, Internet Explorer, Mozilla Firefox, Microsoft Edge, or Apple Safari. Browsers like these are often targets of malware and hackers. A common scenario is if someone accesses your employee’s computer who should not have access, they can easily open a browser and start automatically logging into your frequently visited websites and software to access your data.
Employee Education on Cybersecurity
All employees are required to receive regular training on cybersecurity threats and understand the importance of fast self-reporting.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
An uninformed employee is often the weakest link in your company’s cybersecurity defense. Employees are also the first line of defense against cyberattacks, which means cybersecurity must be a priority for everyone – yet many employees have little education on how to protect company data.
Why This Matters
∗ Regular training. Cybersecurity education should not be optional for ANY employee. We have seen employees at every level of leadership fall for phishing emails or engage in unsafe password practices. Setting up a training program – such as the Cyber Security Training add-on from VGM Education – keeps employees’ cybersecurity training evolving as cyber threats evolve. VGM Forbin also offers a cybersecurity training platform for those that aren’t subscribers of VGM Education.
∗ Required training. We can’t tell you how many times a business owner has said that their staff has completed cybersecurity training, but it is not required or managed. These employees are your first line of defense. If they can’t pass their cybersecurity training or fail your regular phishing tests, you may need to initiate a coaching and counseling process to ensure this issue is taken seriously.
∗ Self-reporting. Transitioning from coaching to self-reporting might seem counterintuitive, but it’s essential. No matter how well-trained your employees are, mistakes happen—and one wrong click on a phishing email can put your company at risk. The speed at which an employee recognizes and reports a security mistake can make a huge difference in containing the damage. You need to create a security culture that leads with trust, not fear, where employees understand the importance of cybersecurity and feel safe reporting an issue as soon as it is detected. This is also part of the training VGM can support your business in because our entire company receives these same trainings and works hard to foster that positive cybersecurity culture.
Testing & Security Patching
My company employs a third-party ethical hacker team to complete a penetration test (pen test) on our environment to uncover weaknesses that we then patch with our in-house IT team or contracted IT provider.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Penetration testing. Some business owners believe that if they have an in-house IT team, pen tests aren’t necessary – but that’s like grading your own test. To truly identify weaknesses, you must undergo real-world attack simulations by ethical hackers. Pen tests go beyond standard vulnerability scans. This process uses both automated tools and manual attack strategies to test your system’s ability to withstand real cyber threats. A great starting point for understanding pen tests and their benefits is reaching out to Procircular – a company we’ve regularly worked with on remediation assistance after pen tests run by Procircular reveal vulnerabilities.
∗ Patching and remediation. Patching and remediation close security gaps. Once a pen test is complete, ethical hackers provide a detailed report with prioritized vulnerabilities and step-by-step remediation plans. IT teams must immediately address high-risk vulnerabilities to prevent exploitation. Regular validation and re-testing ensure that all security gaps are fully patched. Even though VGM stays very current with our cybersecurity practices and has pen tests completed regularly, there is always opportunity for strengthening our environment thanks to these pen tests.
Detection: Catching Cyber Threats Early
Prevention is your first line of defense, but the next critical component of cybersecurity is early detection. The ability to identify and respond to threats before they escalate can mean the difference between a minor incident and a full-scale data breach.
Consider this real-world scenario:
Many smaller cyber incidents serve as warning signs of a larger cyber attack brewing. Far too many businesses detect what appears to be an isolated security event, take minimal action, and assume the issue is resolved.
But cybercriminals don’t always attack in one strike – they often test your defenses first. If you don’t fully remove a threat from your network and reset security controls, the attacker can maintain access and strike again when your defenses are down. Don’t fall for this. The second you uncover an incident, even a small one, act as if you expect the cybercriminal to be lurking on your network.
Monitoring
My company monitors for unusual activity, unauthorized access, and takes action to secure any threats.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Continuous monitoring. Cybercriminals don’t wait for business hours to attack – they often strike late at night, over weekends, or during holidays when fewer people are actively monitoring networks.
To counter this, businesses must have 24/7 security monitoring in place through EDR and MDR solutions backed by a Security Operations Center (SOC) team. EDR (Endpoint Detection and Response) monitors every device (laptops, desktops, servers, and mobile devices) for unusual activity and anomalies. MDR (Managed Detection and Response) provides real-time threat detection and response, leveraging a dedicated SOC team that investigates and resolves security threats before they escalate.
Together, EDR and MDR form a proactive defense system that detects, analyzes, and neutralizes cyber threats before they can cause harm. Confirm with your IT provider or in-house team that your company has EDR and MDR solutions in place, and that your MDR service is backed by a 24/7 SOC team.
∗ Secure threats. Like we said, cybercriminals could be lurking at your door, waiting for you to forget to lock it. Even with strong security measures, incidents will happen. What matters most is how quickly you respond to minimize damage. Every security event – big or small – should be treated as a potential gateway for a larger attack. Follow this five-step threat response process:
1. Contain the threat – Immediately disconnect affected systems from the network to prevent further spread.
2. Investigate – Determine how the breach occurred, what data was accessed, and if the attacker still has access.
3. Eliminate the threat – Remove malicious files, apply security patches, and ensure the attacker’s access is fully revoked.
4. Recover securely – Restore affected systems from clean backups and confirm they are fully operational before bringing them back online.
5. Review and improve – Conduct a post-incident review to update security policies, reinforce your training, and improve future threat detection.
Ensure your IT team has a documented incident response plan that follows this structured approach to containment, elimination, and recovery.
Response: Preparing for Cyber Incidents
The final stage of your cybersecurity journey is response. Accepting that a cyber incident isn’t a matter of if, but when allows your organization to be proactive rather than reactive. While your preventative measures reduce risk, they don’t eliminate it completely. Cyber threats continue to evolve, and even the best security measures can be breached.
The real question is: How well is your team prepared to respond?
Incident Response Planning
My company has an incident response that we have tested in a tabletop exercise and review quarterly.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Incident response plan. An incident response plan ensures a fast, coordinated response. Every organization needs a formalized plan that outlines key roles and responsibilities before, during, and after an incident, clear action steps to contain and mitigate cyber threats, and communication protocols for both internal teams and external stakeholders. Lack of an incident response plan will inevitably lead to confusion, delays, and more downtime than needed for your business.
∗ Tabletop exercise. A tabletop exercise will test your team’s readiness. Having an incident response plan isn’t enough – you need to ensure employees understand their roles and can execute the plan effectively. Running a simulated cyber attack (a tabletop exercise) allows your team to work through real-world attack scenarios and uncover any weaknesses in your response plan.
∗ Quarterly review. Reviewing the incident response plan quarterly is often overlooked, but very important. Many companies set and forget their response plan, but cyber threats evolve, and so does your workforce! Reviewing the plan quarterly ensures that all roles are assigned to active employees, response protocols align with the latest cyber threats, and any organizational or technology changes are addressed.
∗ Disaster recovery. In the event of a cyber incident, you really need to methodically work through your incident response plan. If you don’t have an incident response plan yet, you must first call your cyber liability insurance provider, your IT provider, and your lawyer. Don’t have cyber liability insurance? You need it – immediately.
∗ Appropriate cyber liability insurance. This brings us to our next need in cybersecurity – appropriate cyber liability insurance. We have noticed some businesses don’t have enough or the right cyber liability coverage unique to their business. You need to dig in to understand if there are gaps in your coverage, exclusions for negligence, and coverage appropriate to the true potential financial impact. Reach out to your insurance provider or VGM Insurance to get a full understanding of your coverage and if you need to make any adjustments.
When a Critical Vendor is Attacked
My company is prepared if a critical vendor experiences a cyber incident and is unavailable for my company.
∗ Complete
∗ Working On It
∗ Not Started, But on My List
∗ I Need More Information
Why This Matters
∗ Vendor incidents. When you think of a vendor experiencing a cyber incident that affected businesses like yours, you might be thinking of Change Healthcare. This is the type of scenario you also must prepare for with these steps:
1. Assess the Impact – Determine how the vendor’s incident affects your operations, what data may have been compromised, and the overall risk to your organization.
2. Communicate Internally – Inform your IT team, leadership, and key staff members so everyone is aware of the potential impact.
3. Activate Your Incident Response Plan – This is where your Incident Response Plan guides your next steps to mitigate risk.
4. Contact the Vendor – Reach out to the affected vendor to understand the nature of the attack and what actions they are taking to mitigate risk.
5. Implement Risk Mitigation Measures – You may need to isolate affected systems, change passwords, and increase security monitoring for unusual activity.
6. Review Your SLA or Contract – Review the contract with this vendor to understand your rights and the vendor’s obligations in a cyber incident.
7. Document Everything – Keep detailed records of all communications and actions taken during the incident.
8. Maintain Business Continuity – If the vendor’s services are unavailable for an extended time, create a plan for alternative solutions to keep operations going.
9. Conduct a Post-Incident Review – As always, debrief your team, identify lessons learned, and adjust policies to strengthen your security moving forward.
In Summary: Cybersecurity is a Continuous Journey
As we’ve navigated through this comprehensive cybersecurity checklist, it’s clear that securing your business is not a one-time task but an ongoing journey. Each step, from email security and device protection to employee education and incident response planning, plays a crucial role in safeguarding your business against cyber threats.
Remember, cybersecurity is a shared responsibility. Encourage your team to:
• Stay vigilant – recognizing and responding to threats before they escalate.
• Continuously educate themselves – because cyber threats evolve every day.
• Report suspicious activities immediately – early detection minimizes damage.
By following this cybersecurity checklist and implementing the recommended measures, you’re taking proactive steps to protect your business, your employees, and your customers.
Take Action Now – Don’t Wait for a Cyber Incident
Cyber threats don’t wait for you to be ready – so start today.
• Assess where your business stands on this checklist.
• Identify any gaps in your security measures.
• Work with your IT team or cybersecurity provider to close those vulnerable windows and lock those doors.
Cybersecurity isn’t just a compliance requirement – it’s an investment in the future of your business. Every small step you take today can prevent costly breaches and downtime tomorrow. Thank you for taking the time to read through this guide.
Together, we can build a more secure, resilient industry. Need assistance? If you have any questions or want expert guidance, reach out to us at VGM Forbin.
Jeremy Heidemann, IT Account Executive at VGM Forbin, brings 14 years of hands-on management experience from the auto salvage industry. He specializes in using technology to streamline operations, reduce costs, and boost efficiency. Jeremy helps auto recyclers modernize their IT infrastructure with solutions like cybersecurity, cloud services, and managed support. Reach me at 877-659-5241, email jeremyh@forbin.com or visit www.forbin.com.
