Simple ways to improve your Cybersecurity

When you think about it in terms of your home security.

Cybersecurity – using the foundations of physical security 

Most of us take steps to keep our homes safe, like locking doors, shutting windows, setting alarms, and leaving lights on when we’re away. These habits are practical and help lower the risk of burglary.

Yet when it comes to business security, we see many organisations unknowingly leave the digital equivalent of windows open. This is largely because it is not always obvious where the risks are or what “good security” looks like. 

However, protecting your business does not mean complex expensive tools and investments. Just putting the basics in place can significantly reduce your business risk.  

We have complied a list of practical, relatable tips to do just this: 

Lock the Doors — Strengthen Passwords and Access 

Think of your password as your key to the front door of your systems. 

When creating a password, we recommend you: 

• Use strong unique passwords for each system or use Single Sign-on 
• Avoid sharing accounts between staff 
• Remove access promptly when someone leaves 
• Limit administrative access and follow the principle of least privilege 
• Multi-factor authentication (MFA) is a critical minimum.  If you can, use a physical hardware device to strengthen this even further. 
• Use a business focused password manager  
• Make sure this is reflected in your IT acceptable use policy 
• Review security logs regularly 
• Monitor the dark web for breached accounts / passwords 

What good enough looks like:

• All staff have MFA switch on for all accounts 
• Review access to systems for staff 
• Follow least access privilege principles for all systems 
• Set up a ‘breach watch’ automation or use a password management system that provides this 

When to review: 

ASAP – this is critical and ‘good enough’ is the absolute minimum of what you need to do. 

Put the dangerous things in a locked cupboard – Least Privilege Access

When it comes to things that can harm our children, we are pretty good at making sure they are either behind a locked door or cupboard.  But how often do you think of this in business?  Giving people the data they need to do their jobs is crucial, but allowing them to access others personal information is a no-no. 

Aligning staff’s job role to the data they need is a relatively easy task but often overlooked.  We suggest the following simple steps:

• Use of a per department data location – either in the cloud or on a server, keeping your data based on department is an effective way to minimise access issues.
• Creation of groups – put staff into groups and then allocate access to a group – that way new starters will get the access they need without having to fiddle around or worse give them everything.
• Don’t give users admin rights to their own computers – “I just want to be able to install my own software” is a great way to get ransomed or install illegal software on a computer
• Audit access to shared data resources
• Create an ‘external sharing’ site and turn off this feature on all other SharePoint sites

What “Good Enough” Looks Like

• Departmental data stores and groups set up
• Annual audits for data access

When to Review

• Every three to six months, or when team members change roles

Your staff are a great asset but not everyone should have access to all the information in your business.  Putting protections in place safeguards you, your staff and your customers data.

Close the Windows — Secure Email and Cloud Access 

From a digital perspective, unsecured email and cloud services are the equivalent of open windows to a burglar. Its one of the easiest ways in. 

To effectively “close your windows” to hackers, we’d recommend you: 

• Limit administrative access and follow the principle of least privilege 
• Ensure that any administrative accounts are not the same as user accounts or email addresses – these are regularly used for phishing purposes. 
• Review security logs regularly 
• Use built in tools like Microsoft Security Score on 365 to turn on recommended configuration. 
• Make sure you fully follow the recommended configuration and don’t just switch on and leave the above. 
• Ensure firewalls are enabled on both the network and all your endpoints (computers). 
• Run regular vulnerability scans and ensure that the found issues are resolved ASAP 
• Make sure network devices like firewalls and switches are kept up-to-date with the latest firmware and security updates 

What “Good Enough” Looks Like 

• Multi-factor authentication is turned on for all sites and administrators 
• Run the built in security tools and follow the full steps to secure your configuration 
• Ensure that employees log in securely and do not share passwords 

When to Review 

• Every three to six months, or when team members change roles, or new tools are introduced 

Most cyber incidents start with an email. Closing these “windows” reduces the chance of someone wandering straight into your systems. 

Install an Alarm — Monitor Your Systems  

A monitored system can detect a potential threat in the digital space, much like your house alarm. It doesn’t stop someone trying to break in — but it ensures you know quickly if they do. 

What this means in practice: 

• Use antivirus software, or even Enhanced Detection and Response software. 

• Monitor login activity and detect unusual behaviour early – Set up alerts for failed logins, logins from new devices, or access from unfamiliar locations 
• Enable email logging and admin alerts in your cloud platforms 
• Use basic endpoint monitoring tools if your budget allows 
• Train employees to recognize and report phishing or suspicious behaviour 
• As you grow, consider using a log aggregator or simple security monitoring tool (SIEM) 

What “good enough” looks like: 

• Alerts are received and reviewed regularly 
• Logs are available for investigations 
• Employees know how to report threats and do so without hesitation 
• Have a clearly defined breach response plan 

When to review: 

Every quarter, or after any suspicious incident or failed phishing test 

This approach ensures that issues aren’t going unnoticed for weeks. Instead, they are contained so they help to prevent operational implications. This is one area where an MSP adds significant value. ses IT for production scheduling, quality control, and ERP, but machinery investment takes priority. IT budget often 3–5%. 

Secure Your Personal Belongings— Protect Remote Working 

In an age where remote working is the norm, supporting this is essential. However, strong controls need to be in place to protect the business. Cybercrime has evolved significantly in a short space of time, becoming smarter especially with the evolution of AI. Cybercriminals have many advanced ways of trying to breach basic security measures. 

Remote access, home working, and mobile devices are essential — but they need controls. 

In practice, we recommend that you: 

• Ensure you use secure remote access methods to get to company data 
• Always ensure that staff have a work laptop and don’t access company data with their own device 
• Managed laptops and devices using mobile device management 
• Automatic updates and patching are centrally managed and reported 
• Keep remote devices encrypted and make sure staff work in the cloud rather than locally 
• Perform a GDPR data audit to ensure remote staff have access to only the data they need 
• Provide training for security breaches and regularly refresh 

What “good enough” looks like: 

• Remote work policies that reflect business need and risk 
• Locking down data for remote staff to stop downloading to their own machines 
• Remotely checking updates are applied 
• Issue work laptops or some sort of virtual desktop service  

When to review: 

Review this annually and make sure staff are compliant. 

Make sure that staff onboarding and training contains the information for remote workers needed to inform them on what they should do in the event of a breach. 

Remote working should enable productivity, not introduce hidden risk. 

Maintain the House — Keep Systems Updated  

A poorly maintained home is easier to break into. Outdated systems create the same problem. 

What this means in practice: 

• Keep software and devices up to date 
• Apply security patches promptly 
• Retire unsupported systems   
• As you grow, consider using a log aggregator or simple security monitoring tool 
• A well-maintained and tested disaster recovery plan and systems 

What “good enough” looks like: 

• You are confident that your disaster recovery plan is fit for purpose 
• You know that your last test of your disaster recovery system was successful 
• You have clear visibility of all your systems, their health and update status 
• Unsupported systems are known about and a central log of them maintained 

When to review: 

At least once a year, disaster recovery needs to be checked monthly.  New systems need to be added, and existing systems data audited to ensure they are recoverable. s built around these projects, even if it exceeds the standard percentage range, because of its alignment to business goals. 

Insurance is the Safety Net, Not the Lock 

Insurance is your last resort. Having strong security in place just like your home security routines is best. Insurance should not replace locks and alarms. 

Just like home insurance, cyber insurance penalises those businesses who have poor basic security controls in place. Prevention reduces claims, downtime and reputational damage, as well as lost revenue and costs to the business to rectify the damage done. 

How An MSP Helps Bring It All Together 

Managing this is challenging, especially for a small business. An MSP is just like your security partner. A good MSP will assess risks, close gaps, and monitor your environment continuously. A good MSP will take a complete assessment of IT in your business and assess where the gaps are.  They will work with you to create a Budgeted IT Plan which will cover security to ensure your investments are planned and aligned to your business goals.

Final Thought 

Meeting the “good enough” markers will help you start your journey towards reducing risk.  Small sensible steps that are applied consistently will go a long way in protecting your data, and your business

Next Steps

We are running a live webinar on Wednesday 4th February 10 am – 11 am which covers many of the topics this blog discusses, and how MFAs are simply not enough with the evolution of AI and its developing uses by cybercriminals. The webinar will cover how you can protect your business from the ever-increasing intelligent methods used so you can be one step ahead all the time.