1
Identity and access controls
- Enable multi-factor authentication on every account that supports it, starting with email and admin panels.
- Review who has access to what quarterly: remove leavers promptly and reduce admin privileges to the minimum needed.
- Use a password manager across the team so credentials are strong, unique, and recoverable if someone leaves.
2
Devices and backups
- Enable full-disk encryption and automatic OS updates on every company device.
- Test backup restores quarterly: a backup you have never tested is a backup you cannot trust.
- Use endpoint protection that is centrally managed so you can see device status across the team.
3
Incident readiness
- Write a one-page incident response checklist: who to call, what to isolate, and how to communicate.
- Run a tabletop exercise once a year: walk through a realistic scenario and identify gaps before they matter.
- Know your reporting obligations: data breaches have legal notification timelines you must meet.