Back to Blog
IT Security

Best Practices for IT Security: A Pragmatic Guide

January 13, 2026
13 min read

1. Basics: What IT security actually is

IT security is not just antivirus and a firewall. In practice it is about three things:

  • Confidentiality: only the right people see data.
  • Integrity: data remains correct and trustworthy.
  • Availability: systems are up when needed.

Every technical and organisational measure should serve at least one of these goals. If it doesn’t, it may be unnecessary complexity.

---

2. Identities & passwords: users first, tech second

2.1 Strong authentication

  • Use multi-factor authentication (MFA) wherever possible (email, VPN, admin accounts, cloud services).
  • Block weak passwords (company name, year, names, birthdays).
  • Prefer long passphrases over extremely complex short passwords.

Example passphrase: `yellow_train_moves_slowly` – easy to remember, hard to crack.

2.2 Password managers

  • Use a trusted password manager (organisation-wide or personal).
  • Do not store passwords in Excel, on sticky notes or in plain-text browser notes.
  • Train users on how to choose a strong master password and spot phishing.

2.3 Separate admin accounts

  • Use dedicated admin accounts for administration, not everyday accounts.
  • Apply “run as” – elevate only for the time you need it.
  • Where possible: just-in-time admin instead of permanent admin rights.

---

3. Updates & patching: your most important routine

Most successful attacks use known vulnerabilities for which patches exist.

3.1 Operating systems and software

  • Have a clear patch strategy for Windows, Linux, macOS, browsers, Office, Java, PDF readers, etc.
  • Enable automatic updates where it’s sensible.
  • Patch critical systems in waves: test group → pilot group → broad rollout.

3.2 Firmware and network gear

  • Regularly update routers, switches, firewalls and Wi‑Fi access points.
  • Keep BIOS/UEFI and firmware on servers and storage up to date.

3.3 Remove legacy

  • Retire end-of-life systems (e.g. old Windows Server versions, outdated Linux distros).
  • If you truly cannot replace them: segment, isolate, and minimise access.

---

4. Endpoint protection: where users actually work

4.1 Basic protection

  • Use modern endpoint security, not just classic signature-based AV.
  • Enable full disk encryption on laptops and mobile devices (BitLocker, FileVault, LUKS).
  • Set automatic screen lock after short idle times.

4.2 Hardening devices

  • Remove unnecessary software (toolbars, “tuning” tools, old Java).
  • Disable unused services (remote desktop if not needed; legacy protocols).
  • Use standard user accounts for daily work, not local admins.

4.3 Mobile devices

  • Use Mobile Device Management (MDM) for company phones and tablets.
  • Enable device and app encryption, remote wipe for lost devices.

---

5. Network security: reduce attack surface

5.1 Segmentation instead of flat networks

  • Logically separate networks: servers, clients, guests, OT/production, management.
  • Put critical systems in their own VLANs with strict firewall rules.
  • No “everything can talk to everything” design.

5.2 Firewalls & VPN

  • Never expose RDP or SSH directly to the internet.
  • Allow remote access only via VPN with MFA.
  • Review and clean up firewall rules regularly.

5.3 Wi‑Fi security

  • Use WPA2‑Enterprise or WPA3; avoid open Wi‑Fi for internal systems.
  • Strictly separate guest Wi‑Fi from the internal network.
  • Change default passwords on access points.

---

6. Data protection: what really matters

6.1 Classify data

  • Group data into categories: public, internal, confidential, highly confidential.
  • Define clear handling rules for each class (where stored, who may access, how shared).

6.2 Backup & restore

  • Follow the 3‑2‑1 rule: 3 copies, 2 different media, 1 copy offsite/offline.
  • Test backups regularly – not just configure them.
  • Define recovery time (RTO) and acceptable data loss (RPO).

6.3 Encryption & transport

  • Store sensitive data encrypted (databases, file shares with proper access control).
  • Use encrypted transport (HTTPS, SFTP, VPN) by default.
  • Don’t send sensitive content in plain text via email.

---

7. Cloud security: same principles, different UI

Most organisations use cloud services (M365, Google Workspace, AWS, Azure, SaaS). Responsibility is shared:

  • Provider: physical security, core platform
  • You: accounts, rights, configuration, data

7.1 Identities & access

  • Use Single Sign-On (SSO) and central identity (e.g. Azure AD / Entra ID).
  • Make MFA mandatory for all cloud apps.
  • Grant access on a need-to-know basis.

7.2 Configuration & logging

  • Use platform security baselines (Secure Score, best-practice templates).
  • Enable logging (audit logs, sign‑in logs, admin activities).
  • Regularly review shared links, public buckets and file shares.

7.3 Minimise shadow IT

  • Define which cloud apps are approved.
  • Communicate allowed tools clearly to staff.
  • Block or monitor risky, unapproved services where possible.

---

8. People & training: users as your strongest defence

Most attacks start with phishing or social engineering.

8.1 Awareness

  • Run short, regular awareness sessions (15–30 minutes, not marathon lectures).
  • Use realistic examples: real phishing emails, fake login pages.
  • Define clear rules: what to do and whom to contact if something looks suspicious.

8.2 Simulated phishing

  • Conduct controlled phishing campaigns to raise awareness.
  • Avoid blame; focus on learning.
  • Analyse patterns and target extra support where needed.

8.3 Reporting culture

  • Encourage staff to over-report rather than stay silent.
  • Avoid punishment if someone falls for a sophisticated phishing attempt.
  • Provide simple reporting channels (e.g. “report phishing” button).

---

9. Monitoring & incident response: detect and react

9.1 Take logs seriously

  • Centralise logs (SIEM or at least a central log server).
  • Key sources: firewalls, VPN, identity/AD, servers, cloud logs.
  • Set alerts for suspicious activity (failed logins, new admins, large exports).

9.2 Clear incident plans

  • Create an incident response plan: who does what when something goes wrong?
  • Rehearse different scenarios: ransomware, compromised account, data leak.
  • Maintain an up-to-date contact list (internal, providers, authorities).

9.3 Practice, don’t just document

  • Run at least one incident drill per year (tabletop exercise).
  • Document what worked and what didn’t.
  • Update the plan after each exercise.

---

10. Prioritising: what to do first

If you don’t have a structured security programme yet, start pragmatically. One sensible order:

1.Enable MFA everywhere you can.
2.Separate admin accounts and fix password hygiene.
3.Implement and automate patch management.
4.Verify and test backups.
5.Restrict remote access (no open RDP/SSH; VPN with MFA).
6.Run a short phishing awareness session for everyone.

These steps close most of the common entry points.

---

11. Common anti-patterns: what to avoid

  • Treating security as “just an IT problem” – leadership must be involved.
  • Trying to do everything perfectly at once – iterate instead.
  • Buying tools without clear processes and owners.
  • Writing policies that nobody reads or understands.
  • Skipping training and time budgets for security work.

---

12. Conclusion

Good IT security is less about expensive products and more about sound basics, simple rules and consistent execution.

If you:

  • secure identities properly (MFA, passwords, access rights),
  • keep systems and devices up to date,
  • structure and reliably back up data,
  • invest in people and training,
  • and plan for incidents instead of hoping they won’t happen,

you are already ahead of many organisations. From there, you can add advanced concepts – zero trust, deeper monitoring, automated response – but the foundation is always the same: straightforward best practices, applied every day.