Business Cybersecurity Baseline: Build Resilience, Not "Unhackable"

"Unhackable" is not a realistic state. The practical goal is resilience: reduce the number of easy entry points, limit what an attacker can reach if they get in, and make recovery predictable when something breaks.

For most small and mid-size organizations, the biggest wins come from a short list of controls applied consistently: identity hardening, device hygiene, email security, backups, and a rehearsed response plan.

Baseline actions to start this week

Make identity the center. Enforce MFA for email and admin accounts and remove unused accounts.
Inventory what you actually run. You cannot patch what you do not know you have.
Patch and update on a schedule. OS and browser updates, endpoint agents, and business-critical apps.
Back up and test restores. A backup you cannot restore is not a backup.
Write down an incident plan. Who disables accounts, who talks to vendors, who talks to customers, who contacts legal.

Rule of thumb: If email and admin accounts are not strongly protected, every other control is easier to bypass.

A practical control map

NIST's Cybersecurity Framework is a good organizing model for making security repeatable across teams: NIST Cybersecurity Framework. For a smaller, more tactical list, the CIS Critical Security Controls are widely used as a baseline: CIS Critical Security Controls.

Control	Owner	Minimum standard	Evidence to keep
MFA for email and admins	IT / Security	Authenticator app or security key for admins; no shared admin accounts	MFA enforcement policy + list of admin accounts
Asset inventory	IT	List endpoints, servers, cloud tenants, SaaS apps, and who owns each	Inventory export updated monthly
Patching cadence	IT	Critical updates within days, routine updates on a fixed weekly schedule	Patch reports and exceptions
Backups and restore tests	IT / Ops	Multiple copies, at least one offline or immutable copy, quarterly restore tests	Restore test notes and timestamps
Least privilege	IT + Team leads	Users do not have admin rights by default; access reviewed quarterly	Access review records
Logging and alerting	IT / Security	Centralize auth logs and admin actions; alert on new admin creation	Log retention policy and alert list

Identity and email: your control plane

Account takeovers are common because a single email login can reset many other passwords and approve sensitive actions. Make email and identity hard to steal and hard to persist in.

Enforce MFA and keep recovery signals clean. Remove old phone numbers and unknown recovery emails.
Stop password reuse. Password managers reduce the need for memorization and reduce the blast radius of breaches. Review common password mistakes.
Train for realistic phishing patterns. Pair controls with behavior: phishing training and how to identify scam emails.
Review third-party access. Restrict OAuth app consent and review connected apps regularly.

Email and domain controls that prevent impersonation

Many attacks are not trying to "hack" your systems. They are trying to get paid by pretending to be you. Basic domain controls reduce successful impersonation.

SPF, DKIM, and DMARC. Configure and monitor these to reduce spoofing of your domain.
Lookalike domains. Consider registering the most likely lookalikes and monitoring for new registrations.
Inbound protections. Tag external email, warn on first-time senders, and disable auto-forwarding when possible.

Endpoints: reduce silent theft

Many compromises start with a laptop that is unpatched, unmanaged, or running unapproved software. Minimum endpoint hygiene usually beats expensive tooling that no one maintains.

Standardize devices. Fewer models and OS versions means fewer surprises and faster patching.
Auto-update OS and browsers. Treat browser updates as a security control.
Encrypt and lock. Full-disk encryption and screen locks reduce loss when devices walk away.
Separate admin actions. Do not browse the web from admin accounts. Use least privilege by default.
Control software installs. If anyone can install anything, attackers can usually install something too.

Networks: reduce accidental exposure

Basic network hygiene prevents "it was on the internet" incidents and reduces lateral movement.

Close unnecessary inbound ports. Remote desktop and admin panels should not be exposed to the open internet.
Use VPN or managed access for admin workflows. If remote access is required, control who can reach it and log it.
Separate guest and employee networks. Do not put visitors on the same network as critical devices.

External exposure and vulnerability management

Most organizations discover external exposure only after an attacker does. You do not need a full vulnerability management program to improve outcomes, but you do need a repeatable way to notice when something becomes reachable from the internet.

Know what is internet-facing. Your website, email, VPN, remote access, and any admin consoles should be on a short list with owners.
Remove old services. Retired servers, forgotten DNS records, and old VPN accounts are common entry points.
Patch what is exposed first. If you are behind on patching, prioritize systems reachable from outside.
Test from the outside. Periodic external scans or an independent review can catch exposures your internal view misses.

Resilience improves when you can answer a basic question quickly: if an alert says "remote access is exposed", who owns it and how do you shut it down?

Configuration and change control

Many incidents are not caused by missing tools. They are caused by configuration drift: a security setting was changed for convenience and never changed back, or a new system was deployed with defaults.

Minimum change control does not need bureaucracy. It needs a few habits:

Baseline templates. Standard device builds, standard identity settings, standard email settings.
Approval for high-risk changes. MFA policy changes, new admins, new payment integrations, and new remote access paths.
Document exceptions. If something cannot meet the baseline, write down why and set a review date.
Audit your own changes. Review admin actions regularly, not only after an incident.

Cloud and SaaS: reduce permission sprawl

Many organizations have more SaaS than they think. The most common failure is permission sprawl: old contractors keep access, new apps get granted broad scopes, and no one can answer what data is exposed.

Quarterly access reviews. Start with admin roles and finance integrations.
Disable unused accounts. Dormant accounts are attacker magnets.
Restrict third-party apps. Prefer allow-lists and require review for high-scope permissions.
Keep an ownership map. Each SaaS app has an internal owner responsible for configuration and offboarding.

Data: keep less, protect what you keep

Many businesses treat all data the same until an incident forces a hard conversation. Resilience improves when you decide what is sensitive, where it lives, and who can access it.

Reduce copies. If the same customer export exists in five places, you have five breach surfaces.
Limit who can export. Data exports and bulk downloads should not be available to every user by default.
Separate public from private. Do not store sensitive data in the same collaboration spaces used for daily work.
Define retention. If you do not need it, do not keep it forever.

Privileged access: treat admin like a separate job

Admin accounts are high leverage. If an attacker takes one, they often do not need to \"hack\" anything else. A small set of habits reduces the impact.

Fewer admins. Keep the admin list short, reviewed, and justified.
Separate daily work from admin work. Use a dedicated admin account or role for privileged actions.
Protect admins more. Strong MFA, stricter session controls, and better alerts for privileged users.
Log and review. If you cannot review admin actions, you will discover them only after damage.

Backups and ransomware reality

Ransomware is not only encryption. It is often data theft plus extortion. Backups matter because they shorten downtime, but you still need containment and legal review when data leaves your environment. A practical starting point is CISA's StopRansomware resources: CISA StopRansomware.

Minimum backup standard:

Multiple copies. Keep more than one copy in different places, with at least one offline or immutable copy if possible.
Restore tests. Run restore tests on a schedule and record results.
Protect backup credentials. Backup admin accounts need strong MFA and should not be used for daily work.

For a deeper internal guide, see how to protect your business from ransomware and the general recovery sequence in what to do if your business or employees are hacked.

Logging and detection: you cannot respond to what you cannot see

Small organizations often skip logging because it feels like a "big company" capability. In practice, a small set of logs is enough to answer the first questions during an incident: who logged in, from where, and what changed.

Minimum log source	Why it matters	Alert examples
Email and SSO sign-ins	Most recovery paths and lateral movement start here	New geo, new device, impossible travel, repeated MFA failures
Admin actions	Attackers change settings to persist	New admin, MFA policy change, forwarding rules created
Endpoint detections	Infostealers and remote tools show up on devices first	Suspicious binaries, credential dumping tools, new persistence
Backups and restore actions	Attackers target backups to block recovery	Backup deletion, retention changes, new backup admin accounts

Incident response: make it boring

Incidents are less damaging when everyone knows the first hour steps: disable access, preserve evidence, and communicate clearly. NIST's incident response guidance is a common reference point: NIST SP 800-61 Rev. 2 (PDF).

A simple plan should answer:

Account actions: who can force sign-out, reset MFA, and disable accounts.
Vendor contacts: who opens support tickets with email, payroll, and banking providers.
Evidence: where to store screenshots, logs, and timestamps.
Comms: who talks to employees, customers, and partners, and what is approved to share.

Also decide in advance how you will handle external stakeholders. Many organizations lose time during an incident because no one is sure whether they are allowed to contact a vendor, a bank, outside counsel, or an insurer.

Keep key contacts accessible. Do not store the only copy in the system that might be down.
Separate response comms. Have an out-of-band channel available if email is compromised.
Preserve before you wipe. If you need logs or screenshots for support disputes, capture them early, then proceed with containment.

Do not: Depend on a single person to "remember what to do" during an incident. Write it down, keep it current, and run short drills.

Make the baseline usable

Controls fail when they are too hard to follow. If MFA creates constant lockouts, people will push for exceptions. If patching regularly breaks a critical app, updates will be delayed. If your \"approved\" sharing tool is slow, people will use personal accounts.

Resilience comes from a baseline that works in real workflows. Keep the baseline small, enforce it consistently, and fix friction that forces people into unsafe workarounds.

Vendors and supply chain: you inherit their mistakes

Small organizations often rely heavily on third parties: IT support, payroll, marketing agencies, and SaaS vendors. That can be a strength, but it also widens the trust boundary.

Require MFA for vendor access. No exceptions for agencies or contractors.
Use separate accounts for vendors. Do not share passwords or admin accounts.
Offboard quickly. Contractor access should expire by default unless renewed.
Know your dependencies. Keep a list of critical vendors and support escalation paths.

If you want a broader operational guide to business security basics, see how to protect your business from hackers.

Staying "unhackable" is really staying ready.

A security baseline that holds under stress matters more than a long list of tools, policies, and exceptions.

When you focus on identity, patching, backups, and practiced response, you are not betting on perfection. You are building predictable outcomes.