1. Basics: What IT security actually is

IT security is not just antivirus and a firewall. In practice it is about three things:

Confidentiality: only the right people see data.

Integrity: data remains correct and trustworthy.

Availability: systems are up when needed.

Every technical and organisational measure should serve at least one of these goals. If it doesn’t, it may be unnecessary complexity.

---

2. Identities & passwords: users first, tech second

2.1 Strong authentication

Use multi-factor authentication (MFA) wherever possible (email, VPN, admin accounts, cloud services).

Block weak passwords (company name, year, names, birthdays).

Prefer long passphrases over extremely complex short passwords.

Example passphrase: `yellow_train_moves_slowly` – easy to remember, hard to crack.

2.2 Password managers

Use a trusted password manager (organisation-wide or personal).

Do not store passwords in Excel, on sticky notes or in plain-text browser notes.

Train users on how to choose a strong master password and spot phishing.

2.3 Separate admin accounts

Use dedicated admin accounts for administration, not everyday accounts.

Apply “run as” – elevate only for the time you need it.

Where possible: just-in-time admin instead of permanent admin rights.

---

3. Updates & patching: your most important routine

Most successful attacks use known vulnerabilities for which patches exist.

3.1 Operating systems and software

Have a clear patch strategy for Windows, Linux, macOS, browsers, Office, Java, PDF readers, etc.

Enable automatic updates where it’s sensible.

Patch critical systems in waves: test group → pilot group → broad rollout.

3.2 Firmware and network gear

Regularly update routers, switches, firewalls and Wi‑Fi access points.

Keep BIOS/UEFI and firmware on servers and storage up to date.

3.3 Remove legacy

Retire end-of-life systems (e.g. old Windows Server versions, outdated Linux distros).

If you truly cannot replace them: segment, isolate, and minimise access.

---

4. Endpoint protection: where users actually work

4.1 Basic protection

Use modern endpoint security, not just classic signature-based AV.

Enable full disk encryption on laptops and mobile devices (BitLocker, FileVault, LUKS).

Set automatic screen lock after short idle times.

4.2 Hardening devices

Remove unnecessary software (toolbars, “tuning” tools, old Java).

Disable unused services (remote desktop if not needed; legacy protocols).

Use standard user accounts for daily work, not local admins.

4.3 Mobile devices

Use Mobile Device Management (MDM) for company phones and tablets.

Enable device and app encryption, remote wipe for lost devices.

---

5. Network security: reduce attack surface

5.1 Segmentation instead of flat networks

Logically separate networks: servers, clients, guests, OT/production, management.

Put critical systems in their own VLANs with strict firewall rules.

No “everything can talk to everything” design.

5.2 Firewalls & VPN

Never expose RDP or SSH directly to the internet.

Allow remote access only via VPN with MFA.

Review and clean up firewall rules regularly.

5.3 Wi‑Fi security

Use WPA2‑Enterprise or WPA3; avoid open Wi‑Fi for internal systems.

Strictly separate guest Wi‑Fi from the internal network.

Change default passwords on access points.

---

6. Data protection: what really matters

6.1 Classify data

Group data into categories: public, internal, confidential, highly confidential.

Define clear handling rules for each class (where stored, who may access, how shared).

6.2 Backup & restore

Follow the 3‑2‑1 rule: 3 copies, 2 different media, 1 copy offsite/offline.

Test backups regularly – not just configure them.

Define recovery time (RTO) and acceptable data loss (RPO).

6.3 Encryption & transport

Store sensitive data encrypted (databases, file shares with proper access control).

Use encrypted transport (HTTPS, SFTP, VPN) by default.

Don’t send sensitive content in plain text via email.

---

7. Cloud security: same principles, different UI

Most organisations use cloud services (M365, Google Workspace, AWS, Azure, SaaS). Responsibility is shared:

Provider: physical security, core platform

You: accounts, rights, configuration, data

7.1 Identities & access

Use Single Sign-On (SSO) and central identity (e.g. Azure AD / Entra ID).

Make MFA mandatory for all cloud apps.

Grant access on a need-to-know basis.

7.2 Configuration & logging

Use platform security baselines (Secure Score, best-practice templates).

Enable logging (audit logs, sign‑in logs, admin activities).

Regularly review shared links, public buckets and file shares.

7.3 Minimise shadow IT

Define which cloud apps are approved.

Communicate allowed tools clearly to staff.

Block or monitor risky, unapproved services where possible.

---

8. People & training: users as your strongest defence

Most attacks start with phishing or social engineering.

8.1 Awareness

Run short, regular awareness sessions (15–30 minutes, not marathon lectures).

Use realistic examples: real phishing emails, fake login pages.

Define clear rules: what to do and whom to contact if something looks suspicious.

8.2 Simulated phishing

Conduct controlled phishing campaigns to raise awareness.

Avoid blame; focus on learning.

Analyse patterns and target extra support where needed.

8.3 Reporting culture

Encourage staff to over-report rather than stay silent.

Avoid punishment if someone falls for a sophisticated phishing attempt.

Provide simple reporting channels (e.g. “report phishing” button).

---

9. Monitoring & incident response: detect and react

9.1 Take logs seriously

Centralise logs (SIEM or at least a central log server).

Key sources: firewalls, VPN, identity/AD, servers, cloud logs.

Set alerts for suspicious activity (failed logins, new admins, large exports).

9.2 Clear incident plans

Create an incident response plan: who does what when something goes wrong?

Rehearse different scenarios: ransomware, compromised account, data leak.

Maintain an up-to-date contact list (internal, providers, authorities).

9.3 Practice, don’t just document

Run at least one incident drill per year (tabletop exercise).

Document what worked and what didn’t.

Update the plan after each exercise.

---

10. Prioritising: what to do first

If you don’t have a structured security programme yet, start pragmatically. One sensible order:

1.Enable MFA everywhere you can.

2.Separate admin accounts and fix password hygiene.

3.Implement and automate patch management.

4.Verify and test backups.

5.Restrict remote access (no open RDP/SSH; VPN with MFA).

6.Run a short phishing awareness session for everyone.

These steps close most of the common entry points.

---

11. Common anti-patterns: what to avoid

Treating security as “just an IT problem” – leadership must be involved.

Trying to do everything perfectly at once – iterate instead.

Buying tools without clear processes and owners.

Writing policies that nobody reads or understands.

Skipping training and time budgets for security work.

---

12. Conclusion

Good IT security is less about expensive products and more about sound basics, simple rules and consistent execution.

If you:

secure identities properly (MFA, passwords, access rights),

keep systems and devices up to date,

structure and reliably back up data,

invest in people and training,

and plan for incidents instead of hoping they won’t happen,

you are already ahead of many organisations. From there, you can add advanced concepts – zero trust, deeper monitoring, automated response – but the foundation is always the same: straightforward best practices, applied every day.

Best Practices for IT Security: A Pragmatic Guide