Why foundations matter more than tooling
Every growing business we engage with has the same first instinct: buy a product. Buy an EDR. Buy a SIEM. Buy a phishing simulator. The instinct isn't wrong — tools do help — but tools without process produce alerts no-one reads, dashboards no-one checks, and audit findings no-one closes.
The 2024 Verizon Data Breach Investigations Report analysed 30,458 security incidents across 94 countries and found that 68% involved a non-malicious human element — phishing, credential reuse, or misconfiguration — and that 14% involved the abuse of valid credentials as an initial access vector. None of those breaches were stopped by buying more software. They were stopped (or not) by whether basic controls were in place and operating.
This is what we mean by "foundations." A foundation is a control that's configured, monitored, and recoverable. If any of those three pieces are missing, you have a tool, not a control.
The six foundational controls, in order
1. Multi-factor authentication, everywhere
The single highest-leverage control you can implement. Microsoft's analysis of 1.2 billion identity events in 2023 found that MFA blocks 99.2% of credential-based attacks. There is no other security investment with that return.
"Everywhere" means every identity provider (Google Workspace, Microsoft Entra ID, Okta), every administrative console (AWS, GitHub, Stripe), every VPN endpoint, and — increasingly — every developer SSH key. Use phishing-resistant factors where you can: hardware keys (YubiKey), platform authenticators (Touch ID, Windows Hello), or push notifications with number-matching. SMS one-time codes are better than nothing but fail against SIM-swap attacks.
Practical sequence: enforce MFA on your identity provider first, then admin consoles, then everything else. Aim for 100% coverage of administrative accounts within two weeks.
2. Endpoint detection and response (EDR)
Endpoint detection and response replaces traditional signature-based antivirus with continuous behavioural monitoring. CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, and Sophos Intercept X are the mainstream choices for organisations under 500 endpoints.
The value isn't in the marketing — it's in what EDR records. When something goes wrong, your incident responder needs the process tree, the network connections, the file modifications, and the registry changes that led to the alert. EDR gives you that timeline; antivirus does not.
Deploy EDR to every laptop, every server, and every developer workstation. Tune the alert volume aggressively in the first 30 days — a noisy EDR that nobody reads is worse than no EDR at all.
3. Validated, offline backups
Ransomware works because most organisations cannot restore quickly. The 2024 Sophos State of Ransomware report surveyed 5,000 IT leaders and found that only 32% of victims fully recovered within a week; the median total cost of recovery (excluding ransom) was USD 2.73 million.
The control is not "backups." Every organisation has backups. The control is validated, isolated, offline backups. That means:
- Backups are stored in a separate trust boundary — different cloud account, different credentials, ideally immutable (S3 Object Lock, Azure Immutable Blob, GCP Bucket Lock).
- Restore drills happen at least quarterly, with a stopwatch, against representative data sets.
- RPO (recovery point objective) and RTO (recovery time objective) are documented per system class and accepted by the business.
If you have not restored a backup in the last 90 days, you do not have a backup. You have a snapshot.
4. Email authentication and inbound filtering
Email is still the dominant initial-access vector for ransomware, business email compromise (BEC), and credential theft. Three DNS records — SPF, DKIM, and DMARC — make it dramatically harder for attackers to impersonate your domain.
The minimum:
- SPF: declare every IP authorised to send mail from your domain.
- DKIM: cryptographically sign outbound mail at the gateway.
- DMARC: instruct receivers what to do when SPF or DKIM fail. Start at
p=noneto collect reports, then move top=quarantineand ultimatelyp=rejectonce your legitimate senders are aligned.
For inbound, Google Workspace and Microsoft 365 ship with reasonable phishing and malware protection. Layer on a dedicated email security gateway (Abnormal Security, Mimecast, Proofpoint) when your phishing volume justifies the spend — usually around the 200-employee mark, or earlier if you handle invoices or vendor payments.
5. Patch management on a defined cadence
Of the vulnerabilities exploited in 2024 according to the CISA Known Exploited Vulnerabilities (KEV) catalogue, over 60% had patches available for more than six months at the time of exploitation. Attackers don't need novel zero-days when you're running a six-month-old version of Confluence.
The control isn't "patch fast." The control is:
- Inventory — you cannot patch what you cannot see.
- Triage — CVSS severity and exploitability, not just CVSS severity.
- SLA — critical patches deployed within seven days for internet-facing systems, 30 days for internal.
- Reporting — patch compliance is reviewed monthly, exceptions are documented and time-boxed.
6. A written incident response plan
The plan does not need to be elaborate. It needs to answer five questions on paper before the incident happens:
- Who decides this is an incident? (one named individual, with a deputy)
- Who do we call? (incident response retainer, cyber insurer, breach counsel, regulator)
- Who talks to customers? (one named individual, with pre-approved holding statements)
- Where do we communicate when our primary channels are compromised? (out-of-band Signal group, personal email backup)
- What's our 72-hour notification clock? (GDPR Art. 33 if you process EU personal data; NIS2 24-hour early warning if you're an essential or important entity; DORA major-incident reporting if you're a financial entity)
Tabletop the plan twice a year. The first run will be embarrassing. That's the point.
What to skip (for now)
Most organisations under 200 people don't need:
- A SIEM. Your EDR's hunting console and your cloud provider's native logging are enough until your alert volume justifies a security analyst.
- A SOAR. Same reasoning — automation pays off when you have repeatable manual processes to automate.
- A bug bounty programme. You'll be drowning in low-severity reports before your internal triage process is ready.
- A dedicated security team. One senior engineer with a 20% security allocation and a vCISO on retainer is usually more effective than two junior security hires.
Documentation: the unglamorous multiplier
Every control above generates evidence. Every piece of evidence will be asked for — by a customer's procurement questionnaire, an auditor, your cyber insurer, or an incident responder. Document as you go and you cut your future workload by half.
Minimum documentation set:
- Asset inventory (laptops, servers, SaaS apps, domains, IP ranges).
- Access matrix (who has access to what, reviewed quarterly).
- Risk register (top 10 risks, owner, treatment plan, last review date).
- Policy suite (acceptable use, access control, data classification, incident response — six pages each, not sixty).
- Vendor list with risk tier (sub-processors, critical SaaS, payment providers).
A realistic 8–10 week sequence
For a typical 20–100 person organisation starting from scratch:
Weeks 1–2: Risk assessment, asset inventory, gap analysis. Identify crown-jewel data and systems. Pick the EDR and identity-provider configuration.
Weeks 3–4: Enforce MFA across identity providers and admin consoles. Deploy EDR. Configure SPF/DKIM/DMARC.
Weeks 5–6: Backup strategy and first restore drill. Patch management baseline and SLA. Logging and alerting wiring.
Weeks 7–8: Policy suite drafting and approval. Security awareness onboarding. Incident response plan and first tabletop.
Weeks 9–10: Documentation pass, evidence collection scaffolding, executive summary for leadership. Plan the next quarter (compliance pursuit, penetration test, or SDLC investment).
By the end of week 10, the organisation has a defensible baseline, documented controls, and the foundation to pursue SOC 2, ISO 27001, or SMB1001 certification in the following quarter.