Meet baseline cyber security

Who this is for

Founder led lower-middle market companies with 5 to 50 million in annual revenue that need sensible protection without heavy tools.

The quick answer

Use multi factor authentication everywhere. Keep devices encrypted and patched. Control access with least privilege and remove stale accounts monthly. Back up critical data and test restores. Train staff on phishing with short refreshers. Keep a simple incident plan with names, steps, and vendor contacts.

The method in seven steps

Secure identities
Turn on multi factor authentication for email, VPN, finance tools, and the ERP. Use single sign on where possible.
Harden devices
Encrypt laptops and phones. Patch operating systems and browsers. Use endpoint protection that the team can manage.
Control access
Follow least privilege. Review access monthly. Remove stale accounts the same week people leave.
Back up and test
Back up critical systems and shared drives. Store one copy off site. Test restores each quarter.
Train on phishing
Run short refreshers and light tests. Teach people to report suspicious emails quickly.
Protect vendors and data flows
Track which vendors hold your data. Use a simple checklist before you add a new vendor.
Prepare a simple incident plan
Write names and steps for first response. Add phone numbers for your IT partner, legal counsel, and insurance.

Example

A company turned on multi factor authentication, cleaned stale accounts, and tested restores. A later phishing attempt failed and normal work resumed the same day.

Pitfalls and fixes

Half the team on multi factor authentication and half not. Enforce coverage.
Backups that never get tested. Schedule a restore drill.
No list of vendors with access. Keep a simple register.

Checklist

Multi factor authentication on key systems
Device encryption and patching
Access review and offboarding steps
Backups with quarterly restore tests
Phishing refreshers and reporting path
Incident plan with contacts