10 steps to a more secure IT environment on a budget
Small companies are a primary target for ransomware and phishing — not because they're "interesting", but because they're an easier target. They have no IT department, they don't monitor security actively, and when an incident hits, the consequences are catastrophic.
The good news: a large share of incidents can be prevented with simple and, in most cases, free measures. Here are the 10 most important ones.
1. Strong passwords and a password manager
Passwords like "123456", "company2024" or birth dates are cracked in seconds. Enforce a policy of at least 12 characters including letters, numbers and special symbols. Use a password manager (Bitwarden is free and open source).
2. Two-factor authentication (2FA) everywhere
Even with a stolen password, 2FA blocks access. Enable it for email, Microsoft 365, VPN and every important account. It's the single measure that stops almost all automated attacks.
3. Regular updates — no exceptions
WannaCry, NotPetya and dozens of ransomware attacks exploited vulnerabilities that already had patches. Set up automatic updates for Windows, Office and browsers. For servers — schedule them monthly.
4. Backup with the 3-2-1 strategy
Three copies of your data, on two different media, one of them off-site (or in the cloud). A backup without a test isn't a backup. See also our article on the 5 reasons companies lose data.
5. The principle of least privilege
Every employee should have access only to what they need. Active Directory enables precise control.
A real scenario: ransomware that arrived through an email to an employee with full admin rights encrypts the entire network. With least privilege, only that employee's personal files would have been affected.
6. Protection against phishing emails
A large share of attacks start with a phishing email. Train staff to recognise suspicious messages. Configure SPF, DKIM and DMARC records on your domain — they significantly reduce phishing that abuses your company domain.
7. A segmented network
Split the network — guest WiFi separate from the work network, IoT devices (printers, cameras) isolated. If a virus hits the guest network, it shouldn't reach the servers.
8. Monitor who logs in to your systems
Logs from Active Directory, VPN and critical systems reveal suspicious activity — failed logins, logins at unusual hours, access to atypical resources.
9. A laptop and mobile device policy
Laptops live outside the office and are more vulnerable. Set up BitLocker encryption, a screen lock on idle and a ban on storing corporate data in personal cloud accounts.
10. Plan what you do DURING an incident
If you have no plan, the first hours after a breach are spent in panic. Define in advance: who's responsible for the response, who gets notified, how you isolate infected machines.
Conclusion
None of these 10 steps requires a big budget. They require a systematic approach and a little discipline. If you don't know where to start or don't have the resource to do it yourself — we help. We run an IT security audit and offer concrete recommendations.