Why it matters
Breaches drain money, trust, and time. Strong basics turn scary “what ifs” into non-events: a phish gets ignored, a stolen password is useless, a lost laptop holds only encrypted gibberish.
The short, smart checklist
-
MFA everywhere: make stolen passwords worthless with an authenticator app or security key.
-
Strong, unique passwords: use a password manager; no reusing.
-
Patch fast: keep systems, browsers, VPNs, and apps updated—especially internet-facing ones.
-
Encrypt it: turn on disk encryption for laptops/phones; use HTTPS/TLS for data in transit.
-
Least privilege: give people only the access they truly need; review it regularly.
-
Backups that work: keep offline/immutable copies and practice a restore.
-
Phishing awareness: verify money or account changes out of band (call, not email).
-
Watch for leaks: enable sign-in alerts; monitor for unusual logins, forwarding rules, and large data transfers.
-
Vendor hygiene: choose partners with security basics (MFA, encryption, audits); limit what they can access.
If something looks wrong
-
Contain: change passwords, kill suspicious sessions, and isolate affected devices.
-
Preserve evidence: keep logs and emails; don’t wipe before you know what happened.
-
Notify the right people: IT/security, managers, and (if required) customers and regulators.
-
Fix and learn: patch the gap, rotate keys, and update your checklist/runbooks.