The 10 Items

1. Your primary email account uses a strong, unique password.

Your email account is the master key to your entire business. Every platform you use — Stripe, Kit, Kajabi, YouTube,  has a "forgot password" button that sends a reset link to your email. If someone gets into your email, they can get into everything else.

A strong password is long (16+ characters), random, and not used anywhere else. If you're reusing your email password on any other site, fix this first.

Tool to use: Apple Passwords or Bitwarden. Pick one and use it.

2. Your email account has two-factor authentication turned on, and it's the right kind.

Two-factor authentication (2FA) means that logging in requires both your password and a second verification step. Even if someone gets your password, they can't get in without that second factor.

But not all 2FA is equal. SMS-based 2FA (a code texted to your phone) is better than nothing, but can be bypassed. An authenticator app like Apple's built-in authenticator, Bitwarden, or another dedicated app is significantly more secure.

Check: Log into your email provider settings and confirm 2FA is on. If it's SMS only, consider upgrading to an authenticator app.

3. Your account recovery options are accurate and still secure.

Most email providers let you set a backup email address and a recovery phone number. These exist so you can get back into your account if you lose access.

The problem: creators set these up years ago and never revisit them. If your recovery email is an old address you no longer have, or your recovery phone number is an old phone, you could be locked out permanently.

Check: Go to your email security settings right now. Confirm both your recovery email and phone number are current and secure.

4. Your domain is on auto-renew and you control the registrar account.

Your domain is your business address. If it expires, your website goes down, your email stops working, and anyone can buy it out from under you.

This happens more than you'd think. Creators buy a domain, set it up, and never think about it again until the renewal notice goes to a dead email address.

Check: Log into your domain registrar (GoDaddy, Namecheap, etc.). Confirm auto-renew is on. Confirm the account email is active. Confirm you know the login credentials.  You can pay for multiple years at a time too.

5. Your Stripe account has 2FA enabled and only the right people have access.

Your Stripe account is where your money lives. It deserves at least as much security as your email.

Two things to check: Is 2FA turned on for your Stripe login? And who has access to your Stripe account? If you've ever added a contractor, bookkeeper, or business partner and haven't revisited permissions since, now is the time.

Check: Log into Stripe → Settings → Team. Review who has access and what their permission level is. Remove anyone who shouldn't be there.

6. Your email platform (Kit, Beehiiv, or something else) is secured independently.

Your email list is one of the most valuable assets in your business. Losing access to it, or having someone else gain access to it is a serious problem.

Creators often secure their primary email but overlook the platforms they use to run their business. These need the same treatment: strong unique password, 2FA enabled.

Check: Log into each platform you use actively. Confirm 2FA is on. Confirm the password is unique (not reused from another account).

7. You're not reusing passwords across business accounts.

This is the most common vulnerability I see. One password used across five platforms means one breach exposes all five.

Data breaches happen constantly. When a site gets breached, attackers take the stolen email/password combinations and try them on every major platform automatically. If you reuse passwords, this works.

Check: Open your password manager. Look for any duplicate passwords across business accounts. Change them to unique ones.

If you don't have a password manager yet, this is the weekend to set one up. Like I mentioned before, Apple Passwords and Bitwarden are both solid options.

8. You've reviewed which apps have access to your Google or Apple account.

Over the years, you've probably connected dozens of apps to your Google or Apple account using "Sign in with Google" or "Sign in with Apple." Many of those apps still have access even if you stopped using them.

Each connected app is a potential entry point. If that app gets breached, your account could be at risk.

Check:

• Google: myaccount.google.com → Security → Third-party apps with account access

• Apple: appleid.apple.com → Sign in with Apple

Revoke access for any app you no longer use or don't recognize.

9. You have backups of your email list, course content, and key business assets.

Platforms go down. Accounts get suspended. Companies shut down. None of those things have to end your business if you have backups.

Most creators assume the platform is handling this. Sometimes they are. But "the platform has it" is not a backup strategy.

Check:

• Export your email list from Kit, Kajabi, Substack, or wherever it lives. Save it somewhere you control.

• Download a copy of your course content, digital products, and any assets that would be painful to recreate.

• Set a recurring reminder to do this quarterly.

10. You know exactly who has access to your accounts and whether they should.

If you've ever worked with a VA, editor, designer, or contractor, you've probably shared account access at some point. Some of that access may still be active even if the relationship ended.

Shared credentials are a liability. Not because contractors are untrustworthy, but because you lose control the moment someone else has your password.

Check: Make a quick list of every platform that runs your business. For each one, identify who has access besides you. Remove access for anyone who no longer needs it. If you're sharing master passwords with contractors, that needs to change now.  Most platforms support team members or collaborators with limited permissions.