1. Make Multi-Factor Authentication Non-Negotiable
Stolen passwords remain the number-one way attackers breach networks. MFA pairs a password with an additional factor (a mobile push, hardware key, or biometric) so that even a leaked credential cannot be replayed. Microsoft data shows MFA can block more than 99.9% of account compromise attempts.
Start with Microsoft 365 or Google Workspace, remote access (VPN, remote desktop), banking portals, and every administrative account. Enforce phishing-resistant methods such as authenticator apps or FIDO keys wherever possible.
2. Deploy ArchiveX-Style Backups with Real Restore Drills
A backup is only useful if you can restore it. Follow the 3-2-1 rule: keep at least three copies of your data, on two different media types, with one copy held off-site, air-gapped, or immutable. Ransomware relies on destroying backups first; an isolated, tested copy is your get-out-of-jail card.
Schedule restore drills at least twice per year. Document the recovery time and recovery point you achieve so you can compare it to your stated business tolerance. Treat those drills as table-top exercises involving IT, leadership, and communications.
3. Run Continuous Security Awareness and Phishing Training
Technology catches a lot, but not everything. Staff remain the human firewall and your first line of defence. Quarterly phishing simulations, micro-learnings, and a no-blame reporting culture dramatically reduce risky clicks and increase early reporting.
Keep the programme bilingual when needed, tailor scenarios to job roles, and loop lessons learned into policy refreshes. Reward good reporting behaviour rather than punishing mistakes.
Quick Wins Checklist
- Enable phishing-resistant MFA on email, VPN, finance, and admin accounts.
- Adopt immutable, air-gapped backups (ArchiveX) and rehearse restores twice a year.
- Launch a phishing awareness programme with monthly touch points.
- Document incident contacts, breach thresholds, and insurer expectations.