How to Create a Personal Cyber Safety Action Plan

A personal cyber safety action plan is a simple record of the accounts, devices, and choices that matter most when something goes wrong.

Most people only hunt for their recovery details after an account is locked, a phone is lost, or a strange payment request appears. A short plan gives you a calmer starting point before things get harder.

Start with the accounts that unlock everything else

Your email, phone number, banking app, cloud storage, and password manager are usually the top priority. Each one needs a strong password or passkey, two-step verification, and recovery details that still belong to you. Current NIST guidance emphasises long passwords and changing them when there is evidence of compromise, rather than forcing constant password changes.

Source: NIST

The best plan is one you can actually find and follow when you are under pressure.

- Remaleh Cyber Safety guidance

• List your key accounts and where recovery codes are stored.
• Write down who to contact if a payment, account, or device problem comes up.
• Check which devices are signed in to your most important accounts.
• Review old apps, browser extensions, and unused accounts every three months.
• Keep device updates on, and know where your backup is stored.

The plan does not need to include passwords. In fact, it should not. It should tell you what to check, who to contact, and what to stop doing if an account alert, suspicious link, or scam pressure shows up.

Review the plan after major changes. A new phone. New home internet. A new bank card. Family separation. Travel. Or any change in who helps manage your accounts.

Turn the plan into a simple checklist

• Priority accounts: email, phone provider, banking, cloud, social media, app stores, and password manager.
• Priority devices: phone, laptop, tablet, router, backup drive, and any device used for payments.
• Recovery details: current phone numbers, email addresses, recovery codes, backup contacts, and signed-in devices.
• Payment response: bank contact path, card controls, payment provider, and what evidence to keep.
• Review rhythm: after a new phone, house move, travel, family change, account alert, or scam attempt.

Source: NIST , Australian Cyber Security Centre

Keep the plan somewhere you can reach without logging into the account that might be affected. A printed note in a safe place can be more useful during account lockout than a file stored only in the cloud.

Review the plan after any major change: a new phone, new bank card, new housemate, new school app, travel, a breakup, a bereavement, or a scam attempt. Those moments often change who has access and which account matters most.