Cyber security basics: the must-have foundation of a robust cyber framework

In this article, our experts are sharing the must-have cyber basics for any organisation as it grows and scales. 

The non-negotiable basics

 Patch management

Unpatched software is one of the leading causes of breaches. Regularly updating systems closes vulnerabilities that hackers exploit. Whilst cloud providers often handle patches for their platforms, organisations remain responsible for third-party apps and legacy systems, and for ensuring cloud-based providers have robust protocols in place that align with their risk-based cyber strategies. Automate updates where possible and conduct quarterly audits to ensure nothing slips through.

 Access control

Limit user access to only what’s necessary for their role. A marketing intern doesn’t need admin rights to financial databases, for example, and even the CEO doesn’t need access to all systems at all times. Additionally, implement multi-factor authentication (MFA) for all accounts; this simple step can block up to 99% of automated attacks. 

Risk assessment

Start by identifying critical assets (customer data, intellectual property, etc.) and evaluate threats accordingly. For example, a healthcare provider’s biggest risk might be ransomware targeting patient records, whilst a retailer may prioritise securing payment systems. Use frameworks like NIST or ISO 27005 to guide your assessment. Our latest cyber report details how to approach risk-based cyber security strategies for your organisation.

Asset inventory

You can’t protect what you don’t know exists. Maintain a real-time inventory of all technology, both physical and digital. Pay extra attention to operational technology and IoT devices; these are often overlooked components of an organisation’s tech landscape but increasingly offer access opportunities for bad actors.

Basic monitoring

Start with free or low-cost tools like Microsoft Defender or open-source SIEM solutions to track unusual and potentially malicious activity. Proactively monitor for anomalies like unexpected logins, spikes in data transfers, or unrecognised devices. 

Roles & responsibilities

Avoid any confusion about who is responsible for what. Clearly define roles and responsibilities, ensuring that all individuals (including non-technical personnel) understand the security tasks assigned to them and are aware of their responsibility for the proper use of the organisation’s information and systems.

Employee training

Humans are both the weakest link and the first line of defence in any organisation. Regular phishing simulations and security workshops can help reduce risk significantly. Reward employees for reporting suspicious activity to foster vigilance, being careful to take a constructive and educational approach rather than a punitive one.

Incident response plans

Define clear steps for containing breaches: who to notify, how to isolate systems, and when to involve legal teams. Test the plan quarterly with tabletop exercises, involving other parts of the organisation to bolster resilience and foster a culture of cyber security.

Common cyber missteps: putting the cart before the horse

Over-reliance on outsourcing

Third-party vendors manage patches, backups, or monitoring for the majority of SMBs. However, outsourcing doesn’t absolve responsibility. Zellis, a UK-based payroll and HR company, learned this the hard way when they found themselves the target of a ransomware attack via a vulnerability in MOVEit, a file transfer tool they utilised. Regularly audit partners you rely on for cyber security and retain oversight over their standards and processes. Including the right to audit in any contracts will help ensure their standards align with your organisation’s needs and goals.

Compliance ≠ security

Meeting compliance standards checks a box, but it doesn’t guarantee protection. Target Corporation famously suffered a massive data breach despite having passed PCI assessment. Use compliance as a starting point, not the finish line.

Skipping basics for “advanced” solutions

Zero-trust frameworks fail without MFA, and AI-powered threat detection falters if systems aren’t patched. Invest in foundational controls and robust policies and education before layering on complex tools.

Cost-driven decisions

Choosing the cheapest firewall or skipping penetration tests to save money is a false economy. The average ransomware payment hit $2.73 million in 2024 and goes up significantly every year, far exceeding the cost of preventative measures. The ROI of cyber security can be challenging to measure, but that’s no reason to cut corners in the name of efficiency.

Strength starts at the foundation

Cyber security isn’t about silver bullets; it’s about consistency. Prioritise visibility, accountability, and simplicity before employing overly sophisticated tools or emerging cyber trends. Only then can you build on that foundation and fill in the gaps as the organisation – and its threat landscape – grows.