Most businesses don’t think seriously about cybersecurity until something goes wrong. A ransomware attack locks down files. A phishing email compromises credentials. A laptop with sensitive data gets stolen. Suddenly, security becomes the top priority—but by then, you’re responding to a crisis instead of preventing one.
The best time to prepare for a security incident is before it happens. Here’s what you should have in place now, while things are calm, so you’re ready if they’re not.
1. Know What You’re Protecting
Why This Matters:
You can’t protect what you don’t know you have. Most businesses have a vague sense of their critical systems and data, but haven’t actually documented what matters most.
What to Do:
Create a simple inventory of your critical assets. This doesn’t need to be an exhaustive technical diagram—start with the basics:
- What systems would stop your business if they went down? (Email, accounting software, CRM, manufacturing systems, etc.)
- Where is your sensitive data stored? (Customer information, financial records, intellectual property, employee data)
- Who has access to what? (Which employees, contractors, or vendors can access critical systems and data)
- What’s your tolerance for downtime? (Can you survive a day without email? A week without your ERP system?)
Once you know what you’re protecting and how critical each piece is, you can make better decisions about where to focus your security efforts.
2. Back Up Your Data (and Test Those Backups)
Why This Matters:
Ransomware, hardware failure, human error, and natural disasters can all destroy your data. Backups are your insurance policy. But a backup you’ve never tested is a backup you can’t trust.
What to Do:
Implement the 3-2-1 backup rule:
- 3 copies of your data (the original plus two backups)
- 2 different types of media (e.g., local hard drive and cloud storage)
- 1 copy offsite or in the cloud (so a physical disaster doesn’t take out everything)
Then—and this is critical—test your backups regularly. Can you actually restore files? How long does it take? Do your employees know the process? Schedule quarterly restoration tests so you know your backups work before you desperately need them.
3. Require Multi-Factor Authentication (MFA)
Why This Matters:
Passwords alone aren’t enough. Even strong passwords can be stolen through phishing, data breaches, or keyloggers. Multi-factor authentication adds a second layer of protection that dramatically reduces the risk of account compromise.
What to Do:
Enable MFA on every system that supports it, especially:
- Email accounts
- Financial systems
- Cloud storage and file sharing
- Remote access tools (VPN, remote desktop)
- Administrative accounts
MFA doesn’t have to be complicated. Even a simple text message code or authentication app makes it exponentially harder for attackers to access your systems, even if they steal a password.
4. Document an Incident Response Plan
Why This Matters:
When a security incident happens, you don’t have time to figure out what to do. Confusion and panic lead to mistakes that make situations worse. Having a plan means you can respond quickly, methodically, and effectively.
What to Do:
Create a simple incident response plan that covers the basics:
Who to contact:
- Internal team members (IT lead, management, legal)
- External contacts (IT service provider, cyber insurance, legal counsel, law enforcement if needed)
- Communication roles (who talks to customers, partners, regulators)
Initial response steps:
- How to identify and contain the incident
- Which systems to isolate or shut down
- How to preserve evidence
- When to engage external help
Communication protocols:
- Who needs to know what, and when
- How to communicate with employees, customers, and partners
- What your legal notification obligations are
You don’t need a 50-page document. A clear, two-page playbook that people can follow under pressure is far more valuable than a comprehensive manual no one will read during a crisis.
5. Train Your Employees
Why This Matters:
Most security incidents start with human error: a clicked phishing link, a weak password, a lost laptop, or an accidental data exposure. Your employees are your first line of defense—but only if they know what to look for and what to do.
What to Do:
Conduct regular, practical security awareness training:
- Show real examples of phishing emails and explain what makes them suspicious
- Teach employees how to create strong passwords and why they matter
- Explain how to handle sensitive data safely
- Create a clear process for reporting suspicious activity without fear of blame
- Make it easy to ask questions
Training doesn’t need to be formal or expensive. Regular, short sessions focused on real-world scenarios are more effective than annual compliance lectures.
6. Keep Software and Systems Updated
Why This Matters:
Software updates aren’t just about new features—they patch known vulnerabilities. When you delay updates, you’re leaving doors open that attackers already know how to exploit. Many major breaches happen because organizations didn’t apply patches for publicly disclosed vulnerabilities.
What to Do:
- Enable automatic updates wherever possible (operating systems, browsers, security software)
- For business-critical applications, establish a regular patching schedule (monthly at minimum)
- Monitor for critical security updates and apply them promptly
- Maintain an inventory of software so you know what needs updating
Yes, updates can occasionally cause compatibility issues. But running unpatched software is far riskier than dealing with an occasional hiccup.
7. Control Access to Your Systems
Why This Matters:
The more people who have access to sensitive systems and data, the more opportunities for something to go wrong—whether through malicious intent or honest mistakes. If everyone is an administrator, no one is really in control.
What to Do:
Implement the principle of least privilege:
- Give employees access only to the systems and data they need for their jobs
- Use standard user accounts for daily work; reserve admin access for IT tasks
- Remove access promptly when employees change roles or leave the company
- Review access permissions regularly (at least annually)
- Require separate accounts for administrative tasks (don’t use the same account for email and system administration)
This isn’t about distrusting employees—it’s about reducing risk and limiting the damage if an account is compromised.
8. Understand Your Compliance Obligations
Why This Matters:
If you handle certain types of data or work in regulated industries, you have legal and contractual obligations for how you protect information. Discovering your compliance requirements after a breach is far more expensive and stressful than understanding them upfront.
What to Do:
Identify which regulations and frameworks apply to your business:
- CMMC or DFARS if you’re in the defense supply chain
- HIPAA if you handle protected health information
- PCI-DSS if you process credit card payments
- GLBA if you’re in financial services
- State data breach laws (all 50 states have them)
- Industry-specific standards like NIST, ISO 27001, or SOC 2
Once you know what applies to you, understand what those requirements actually mean in practice. Compliance isn’t just about checking boxes—it’s about implementing security controls that work.
9. Have Cyber Insurance (and Know What It Covers)
Why This Matters:
Cyber insurance won’t prevent an incident, but it can significantly reduce the financial impact. Coverage typically includes breach response costs, legal fees, regulatory fines, customer notification, and business interruption losses.
What to Do:
- Get quotes from insurers who specialize in cyber coverage
- Understand what’s covered and what’s not (policies vary significantly)
- Know what security controls insurers require (many now mandate MFA, backups, and incident response plans)
- Keep your coverage current as your business grows
- Document your security practices—insurers will ask
Important: cyber insurance isn’t a substitute for security. It’s a backstop for when prevention fails.
10. Establish Relationships Before You Need Them
Why This Matters:
In the middle of a security incident, you don’t want to be Googling for help or trying to find a lawyer who understands data breach law. Having trusted relationships in place means you can respond faster and more effectively.
What to Do:
Identify and vet these contacts before a crisis:
- IT security firm or consultant who can help with incident response and forensics
- Legal counsel experienced in data breach and cybersecurity law
- Public relations or communications firm if you need help managing public response
- Cyber insurance provider and understand their incident response requirements
- Law enforcement contacts if you need to report criminal activity
You don’t need to have everyone on retainer, but you should know who you’d call and have their contact information readily available.
The Bottom Line
The time to think about security is when you don’t have an active crisis. Every item on this list is easier, cheaper, and more effective when you implement it proactively rather than reactively.
You don’t need to do everything at once. Start with the fundamentals—backups, MFA, and an incident response plan—and build from there. The goal isn’t perfection; it’s readiness.
When something does go wrong (and statistically, something eventually will), the difference between a manageable incident and a business-ending disaster often comes down to the preparation you did beforehand.
Don’t wait for a crisis to take security seriously. The decisions you make today determine how well you’ll handle whatever happens tomorrow.
Not sure where to start? Brookmore Solutions helps small and mid-sized businesses build practical, business-ready security programs before incidents happen. Contact us to discuss your readiness and next steps.
