Best Practices for Cyber Security (Deep-Dive Guide)

Cybersecurity isn’t “install an antivirus and forget it.” It’s people + process + technology, repeated consistently. This guide covers what to do, why it matters, and exactly how to implement it.

1) Identity Security: Protect Logins First (highest ROI)

Why: Almost every breach starts with a stolen or weak credential.

Do this:

• MFA everywhere (email, VPN/ZTNA, admin portals, finance tools, Git, HR/payroll). Prefer authenticator apps or hardware keys over SMS.
• Password manager for all staff (shared vaults for teams; disable browser-saved passwords).
• Single Sign-On (SSO) so users have one strong login; turn off direct passwords where possible.
• Least privilege: no standing admin; use just-in-time (JIT) elevation for IT.
• Fast offboarding: disable accounts and tokens within 1 hour of leaver notification.

Implementation tips (Microsoft 365):

• Entra ID: Security Defaults or Conditional Access → Require MFA for all users; block legacy auth.
• Set sign-in risk policies; enable self-service password reset.
• Create Privileged Access Groups; require MFA + approval for elevation.

Measure monthly: MFA coverage (% users/apps), number of standing admins (aim for 0), time to offboard.

2) Endpoint Security: Make Devices Hard to Break

Why: Laptops/phones are where attackers land after phishing.

Do this:

• Auto-patching OS & apps; enforce reboots within 7–14 days for critical updates.
• EDR (endpoint detection & response) on every device (Windows/macOS/Linux).
• Disk encryption: BitLocker / FileVault. Screen lock ≤ 5 minutes.
• Device management: Intune/Jamf. No local admin by default; standard builds (golden images).
• App control: allow-list business apps; block unknown drivers and unsigned apps.
• Mobile (BYOD): use Mobile App Management (MAM) with app-level protections if you can’t fully manage the device.

Measure monthly: Patch compliance, EDR coverage, % encrypted devices, % non-admin endpoints.

3) Email & Collaboration Security: Stop Phishing, Spoofing, and Malware

Why: Email is the #1 attack path for SMEs.

Do this:

• Enable anti-phishing, Safe Links/Attachments, and malware scanning in your email suite.
• Turn on SPF, DKIM, DMARC for your domain (start DMARC p=none, then tighten).
• Add an External sender tag/banner to reduce “look-alike” attacks.
• Security awareness: 10-minute micro-training monthly + phishing simulations.
• Shared mailbox hygiene: turn off basic auth; require MFA for delegated access.

Measure: Phish click-rate trending down; domain authentication status; number of spoof attempts blocked.

4) Network & Remote Access: Assume the Internet Is Hostile

Why: Flat networks and old VPNs make lateral movement easy.

Do this:

• Segment: separate guest, staff, servers, and IoT on VLANs; block east-west by default.
• Modern remote access: ZTNA or at minimum VPN + MFA; restrict split-tunnelling for sensitive roles.
• Firewall hygiene: change defaults, remove unused port forwards, back up configs, log to a central store.
• DNS security: use protective DNS (e.g., Quad9, Cloudflare Gateway, or provider feature).

Measure: Count of open inbound services; quarterly firewall rule review; VLAN coverage (% devices in correct segments).

5) Data Protection: Backups, Labels, and Less Data

Why: Ransomware and accidental leaks are business killers.

Do this:

• Backups: 3-2-1 rule (3 copies, 2 media, 1 off-site/immutable). Back up endpoints and SaaS (M365/Google).
• Test restores quarterly; document results (screenshots/logs).
• Classify & label data (Public / Internal / Confidential); enforce default labels.
• DLP basics: detect/block obvious leaks (payment cards, NI numbers) in email and cloud drives.
• Minimise retention: keep data only as long as needed (UK GDPR); auto-expire old shares.

Measure: Backup success %, last test date, DLP events handled, % content labeled.

6) Cloud & SaaS Security: Close the Shadow IT Gaps

Why: Most company data now lives in cloud apps you didn’t build.

Do this:

• SSO + MFA for all business apps; disable password logins where possible.
• App inventory: who uses what; remove stale accounts monthly.
• Sharing controls: default to internal; external links auto-expire; domain allow-lists for sharing.
• Logs on + retained (≥ 180 days ideal); send critical logs to a central system/SIEM.

Measure: % apps behind SSO; # stale accounts removed; external share expiry coverage.

7) People & Process: Make Security Normal, Not Painful

Why: Culture beats any tool stack.

Do this:

• Short policies people will actually read: Acceptable Use, Password/MFA, Device, Data Handling, Incident Response (1–2 pages each).
• Security champions in each team; 15-minute monthly share of incidents and tips.
• Tabletop exercises twice a year (simulate mailbox takeover and ransomware).
• Vendor & supply-chain checks: ask for Cyber Essentials (or Plus), SOC 2/ISO 27001 where relevant.

Measure: Training completion, tabletop actions closed, vendor attestations collected.

8) Incident Response: Speed > Perfection

Why: Minutes matter; fumbling costs real money.

One-page IR plan (printable):

• Declare: Anyone can escalate; Security Lead decides severity (P1–P3).
• Contain: Reset creds, revoke tokens, isolate endpoints, disable forwarding rules, block indicators.
• Preserve: Don’t wipe; snapshot VMs; export logs; note timeline.
• Eradicate: Remove malware, backdoors, malicious OAuth apps; patch holes.
• Recover: Restore from backups; phased reconnect; monitor closely for 72 hours.
• Notify: Data subjects, ICO, clients, insurers, legal—based on impact.
• Review: 14-day post-incident report; fix root causes.

Contacts list: MSP, incident hotline, insurer, legal, PR, key SaaS vendors (with contract/ID numbers).

9) Compliance for UK Orgs: Practical, Not Painful

• Cyber Essentials: UK baseline across firewalls, config, access control/MFA, patching, malware. Aim for Plus if you handle sensitive data or larger clients.
• UK GDPR basics: lawful basis, data mapping, retention, subject access processes, breach reporting within 72 hours where required.
• Sector regs: FCA, NHS DSPT, PCI DSS—map your controls and gaps.

10) Metrics Dashboard (what leadership should see monthly)

• Identity: MFA coverage, standing admin accounts, account offboarding time.
• Endpoints: Patch compliance, EDR coverage, encryption status.
• Email: Phish click-rate, domain auth status (SPF/DKIM/DMARC), blocked spoof attempts.
• Data: Backup success %, last restore test date, DLP events.
• Incidents: Mean time to detect/respond, top causes, actions closed.
• Projects: Roadmap items delivered (e.g., “Intune baseline complete”, “DLP Phase 1 live”).

Keep this to one page with trends (green/up good, red/down bad). Actions for next month at the bottom.

11) 30/60/90-Day Rollout Plan (realistic for SMEs)

Days 0–30: Foundations

• Enforce MFA for email/SSO; block legacy auth.
• Deploy password manager; turn off browser-saved passwords.
• Roll out EDR, disk encryption, auto-updates; set reboot deadline.
• Configure SPF/DKIM/DMARC (p=none).
• Enable Safe Links/Attachments; add External mail banner.
• Set up backups incl. M365/Google; run test restore.
• Publish 1-page Acceptable Use and Incident Response.

Days 31–60: Hardening

• Onboard devices to Intune/Jamf; remove local admin; apply baseline policies.
• Network segmentation (guest/staff/server VLANs); review firewall rules.
• Turn on basic DLP and external-sharing expiry.
• First phishing simulation + micro-training; brief results to staff.
• Start central log collection for email, identity, endpoints.

Days 61–90: Resilience

• Tabletop exercise (ransomware scenario); close findings.
• Tighten DMARC to quarantine (if aligned).
• Review vendor risks; collect Cyber Essentials status.
• Launch monthly security dashboard to leadership.
• Draft 12-month security roadmap (budget, milestones).

12) Practical SOPs (copy/paste templates)

Report a suspicious email

1. Don’t click links/attachments.
2. Use the Report Phish button or forward to [email protected].
3. If clicked, call IT immediately, change your password, and note what you did.

Joiner

1. Manager raises access request (role-based).
2. IT issues standard device (encrypted, EDR, no local admin).
3. MFA enrolment + password manager invite.
4. New-starter 15-minute security briefing.

Leaver

1. Disable accounts & tokens within 1 hour.
2. Transfer mail/drive ownership; wipe device; recover assets.
3. Revoke external shares; remove from groups; update license count.

13) Red Flags to Fix Immediately

• No MFA on email/SSO/admin accounts.
• Unencrypted laptops or local admin rights everywhere.
• No SaaS backups; “we rely on Microsoft/Google only.”
• Single shared admin accounts; passwords in spreadsheets.
• Flat network; RDP/SSH exposed to the internet.
• Out-of-date firewall/UTM with “allow any” rules.

14) Tools You Can Actually Run (budget tiers)

Essentials (low cost)

• SSO/MFA: Microsoft Entra ID (included in M365) or Google Workspace.
• Password Manager: Bitwarden/1Password (team plan).
• EDR: Microsoft Defender for Business.
• Device Mgmt: Intune (Business Premium) / Jamf for Mac.
• Email Security: Built-in + Defender for Office 365 P1/P2 (or equivalent).
• Backup: Endpoint + M365/Google SaaS backup with immutability.
• Training/Phish: Built-in or light platform (Hoxhunt/KnowBe4 starter).

Next steps (mid)

• ZTNA (Cloudflare/Zscaler/Tailscale) for safer remote access.
• Central logs/SIEM (Defender XDR, Sumo Logic, Splunk Light).
• CASB/SSPM for SaaS posture if app sprawl grows.

15) FAQs (for staff comms)

“MFA slows me down.”
It adds ~5–10 seconds, but prevents the #1 cause of breaches. We’ll remember trusted devices to reduce prompts.

“Why no local admin?”
Admin rights are how malware spreads. We’ll approve temporary elevation when you need to install.

“Are my files backed up if they’re in OneDrive/Google Drive?”
Not reliably against deletion/ransomware. That’s why we run separate SaaS backups and test restores quarterly.

“We use Macs; are we safe?”
Phishing and credential stuffing hit every platform. Same protections apply.

16) UK Note: Cyber Essentials (Plus)

• Cyber Essentials: self-assessment baseline across five areas (firewalls, secure config, access control/MFA, patching, malware protection).
• Plus adds independent testing.
• Benefits: insurer discounts, bid eligibility, better client trust.
• Map your controls above to the standard; you’ll cover most of it already.

Summary (What “Good” Looks Like)

• Identities: SSO + MFA, no standing admin, rapid offboarding.
• Endpoints: Patched, encrypted, EDR-protected, non-admin.
• Email: Anti-phish on, SPF/DKIM/DMARC aligned, training monthly.
• Network: Segmented, minimal exposure, logged.
• Data: Labeled, least shared, backed up with tested restores.
• Process: Short policies, tabletop twice a year, leadership sees a monthly dashboard.