1
Identity and access
- Enable multi-factor authentication on every account, starting with email, admin, and financial systems.
- Deploy a team password manager and retire shared credentials and password spreadsheets.
- Review access quarterly: remove leavers, reduce admin privileges, and check third-party app permissions.
2
Devices and data
- Enable full-disk encryption and automatic OS updates on all company devices.
- Use centrally managed endpoint protection so you can see device health across the organisation.
- Test backup restores quarterly: a backup you have never restored is a backup you cannot trust.
3
Incident readiness
- Write a one-page incident response checklist with contacts, isolation steps, and communication templates.
- Run a tabletop exercise annually: walk through a realistic scenario and identify gaps.
- Know your legal obligations: data breaches have notification timelines under UK GDPR.