A practical website security checklist covering HTTPS, DMARC, MFA, backups, and NIS2 compliance. For Irish SME owners and IT managers — plain English, actionable steps.
A dual-audience checklist covering the technical controls that tools like the Digital Trust Mark test — and the business-level controls they do not. Use it to assess where you stand and prioritise what to fix first.
Each check is graded: Quick Win (do this week), This Month (schedule it), or Plan Ahead (requires expertise).
Part 1 — Technical Controls: Website & Email Configuration
These are the controls that automated tools like the Digital Trust Mark assess. They are configuration tasks — most can be completed without specialist expertise and have an immediate impact on your security posture.
Email Authentication
Prevent attackers from sending emails that appear to come from your domain.
- SPF record configured with -all (hard fail)
- DKIM signing enabled on every outgoing email
- DMARC policy published — start with p=quarantine, then move to p=reject
- DMARC aggregate reports reviewed monthly
DNS & Domain Security
Protect your domain from hijacking, spoofing, and fraudulent certificates.
- CAA record published to restrict certificate issuance
- DNSSEC enabled to prevent DNS cache poisoning attacks
- Domain registrar account secured with MFA
- Domain auto-renewal enabled with current payment details
HTTPS & TLS Configuration
Ensure all data between your website and visitors is encrypted.
- HTTPS enabled on all pages
- HTTP redirects to HTTPS with a 301 permanent redirect
- TLS 1.2 and 1.3 only (1.0 and 1.1 disabled)
- Certificate from a trusted CA, not expired
HTTP Security Headers
Instruct browsers to apply additional protections when loading your site.
- HSTS header present to prevent SSL stripping attacks
- X-Content-Type-Options: nosniff
- X-Frame-Options: SAMEORIGIN to block clickjacking
- Referrer-Policy configured (strict-origin-when-cross-origin recommended)
- Content Security Policy (CSP) deployed — primary defence against XSS
Part 2 — Business Controls: People, Devices & Governance
These controls address the risks that technical configuration cannot prevent — phishing, ransomware, insider threats, and regulatory non-compliance. According to Amárach research for .IE, phishing accounts for 60% of Irish cyber incidents. None of these risks appear in an automated website scan.
Staff & Access Controls
The controls that protect against phishing — the cause of 60% of Irish cyber incidents.
- MFA enabled on all business email accounts
- MFA enabled on cloud storage and business applications
- Staff trained to recognise phishing emails
- Phishing simulation run in the last 12 months
- Leavers' accounts disabled on the day of departure
- Principle of least privilege applied to access rights
Devices & Software
Patching and endpoint protection — the controls that stop ransomware.
- Operating system updates applied within 14 days
- Business software and applications kept up to date
- Endpoint protection (antivirus/EDR) on all devices
- Mobile Device Management (MDM) policy in place
Backup & Recovery
The controls that determine whether you survive a ransomware attack.
- Regular backups of all critical data — the 3-2-1 rule
- Backups tested by restoring data at least quarterly
- Backups isolated from the main network
- Recovery Time Objective (RTO) defined
Governance & Compliance
The organisational controls that NIS2 and regulators will look for.
- Incident response plan documented and tested
- NIS2 scope assessment completed
- Cyber insurance policy in place and reviewed annually
- Third-party and supply chain risk assessed
Want a Prioritised Action Plan?
Working through a checklist is a good start. A structured security review gives you a clear picture of where you stand across all these areas — and a prioritised, practical plan for what to fix first, based on your specific business context and risk profile.