The organizing principle: defense in depth
No single control is perfect. That's why serious security doesn't bet everything on one — it stacks layers, each attacking different vectors. If the attacker bypasses one, the next stops them. That's why this article isn't about "the best antivirus" — it's about building the right layers.
1. Multi-factor authentication (MFA) everywhere possible
The single highest cost-to-protection ratio. Even if a password gets phished, without the second factor the attacker doesn't get in. Apply MFA to:
- Email (Microsoft 365, Google Workspace, own server).
- Critical systems (ERP, accounting, bank, payment gateways).
- Business VPN and remote access (RDP, SSH).
- Password manager and hosting/domain services.
- Admin accounts on servers and cloud platforms.
Use TOTP apps (Microsoft Authenticator, Google Authenticator, Authy, Aegis) or FIDO2 hardware keys (YubiKey, Titan). Avoid SMS — it's vulnerable to SIM swapping.
2. Mandatory password manager
Reused passwords are the #1 compromise vector. A single breach of any service (Adobe, LinkedIn, Dropbox, Canva) exposes that same password across dozens of others where the person reused it.
Implement Bitwarden (free or business plan US$ 3/user/month), 1Password Business or Keeper Business. Each user has their vault; admin manages shared team credentials (shared folders with per-person permissions). New passwords minimum 16 random characters — the manager generates and remembers them.
Goodbye passwords in spreadsheets, post-its under keyboards, or "we all use the wifi one".
3. Patches up to date — no excuses
80% of mass automated attacks exploit vulnerabilities with patches available months ago. Monthly patching closes 80% of the problem:
- Windows Update scheduled on workstations and servers.
- Critical applications (Adobe, Chrome, Office, browsers) auto-updated.
- Router, firewall, AP and NAS firmware reviewed quarterly.
- Out-of-support OS (Windows 7, Server 2012, etc.) — migrate urgently or isolate in separate VLAN without internet.
4. Network segmentation with VLANs
Apply segmentation with separate VLANs:
- Server VLAN: where data and critical apps live. Access only from authorized networks.
- Employee VLAN: workstations and laptops. Controlled access to server VLAN.
- Guest / public WiFi VLAN: isolated, no access to internal resources. Internet only.
- IoT / camera VLAN: smart devices, frequently vulnerable. Isolated.
- Admin / management VLAN: access to network gear, only from IT team workstations.
An infection in one VLAN doesn't automatically propagate to others. Costs the same to configure right as wrong, but the difference shows when someone clicks where they shouldn't.
5. Principle of Least Privilege (PoLP)
Nobody should have more permissions than strictly needed for their job. In practice:
- Standard users, not admins: daily user never works as admin. Elevation via UAC for admin tasks.
- Specific NTFS permissions: every shared folder has explicit per-group access, not "everyone / full control".
- Dedicated service accounts: don't use Windows Administrator or root for services. Create specific accounts with only what they need.
- Cleanup on employee departure: revoke access same day. Have documented checklist of what to disable.
- Periodic review: quarterly review of who has access to what — people change roles and permissions accumulate.
6. Backups 3-2-1 with immutable copy
Covered in detail in Backups, ransomware and business continuity. Summary: 3 copies of data, on 2 different media, 1 offsite, with at least one immutable copy ransomware can't encrypt.
And test restore quarterly — a backup you never restored isn't a backup.
7. Modern endpoint protection (EDR), not '90s antivirus
Signature-based traditional antivirus is no longer enough. What's used today is EDR (Endpoint Detection and Response) — software analyzing behavior, not just files, alerting on suspicious activity.
Reasonable options for SMBs:
- Microsoft Defender for Business — included in Microsoft 365 Business Premium, solid for Windows + 365 environments.
- Bitdefender GravityZone — excellent detection, centralized cloud management, ~US$ 3-5/endpoint/month.
- ESET Protect — popular in Latin America, good and affordable.
- SentinelOne / CrowdStrike — enterprise tier, pricier but more capable.
Avoid free antivirus in business environments — their business model is upselling, not protecting you.
8. User training — the human link
90% of successful attacks involve a human who clicked where they shouldn't have. Three basics every employee must know:
- Recognize phishing: check the real sender address, suspect urgency ("act now!"), never give passwords over email or WhatsApp, verify links before clicking.
- Don't reuse passwords and use the manager.
- Report suspicions without fear of being scolded. Better 10 false reports than one real incident hidden in shame.
Run controlled phishing simulations (with services like KnowBe4 or Microsoft Defender Attack Simulator) — educates more than any theoretical course.
9. Centralized logging and monitoring
If an incident happens and you have no logs, you can't investigate, contain or report. Minimum:
- Server and firewall logs sent to a central destination (NAS, syslog server, SIEM if budget).
- Retention min 90 days; for compliance, up to 1 year.
- Automatic alerts on critical events: multiple failed logins, admin account creation, antivirus disabling, login from unusual country.
For SMBs, useful solutions: Graylog (open source), Wazuh (free SIEM), Splunk Free up to 500 MB/day, or the firewall's own logging module (FortiGate, pfSense, Mikrotik).
10. Documented incident response plan
When something serious happens, you don't improvise. Have written:
- Who decides what (manager, tech, lawyer, comms).
- Immediate containment steps (disconnect from network, DO NOT power off — preserve evidence).
- Who to notify (internal + external: regulators if personal data, police cybercrime unit, vendors, clients).
- Clean-backup restoration procedure.
- Post-incident lessons learned.
The plan gets tested annually with a drill. Without practice, in the real moment nobody remembers where anything is.
Summary: 10 controls ordered by impact
| # | Control | Cost | Risk impact |
|---|---|---|---|
| 1 | MFA everywhere | Near zero | Very high |
| 2 | Password manager | Low | Very high |
| 3 | Patches up to date | Zero (time) | Very high |
| 4 | VLAN segmentation | Low (hardware) | High |
| 5 | Least-privilege | Zero (config) | High |
| 6 | 3-2-1 immutable backups | Medium | Very high |
| 7 | EDR / modern antivirus | Medium | High |
| 8 | User training | Low | Very high |
| 9 | Logging and monitoring | Medium | Medium (high for forensics) |
| 10 | Documented response plan | Low (consulting) | High (when needed) |
What WON'T save you
- The most expensive antivirus, alone. Without MFA, patches and backup, you'll get compromised anyway.
- The "next-gen" firewall from the quote. If misconfigured and never updated, it's decoration.
- "We're in [small country], nobody wants to attack us". Attacks are automated; they don't pick countries, they pick exposed IPs.
- The "ISO 27001 certified" badge without real operation behind it. Paper; practices are code.
IT security isn't a product, it's a process. Implementing these 10 controls well for a typical 20-50 person SMB costs between US$ 500-2,000 upfront and US$ 75-200/month. Much less than the cost of ONE serious incident.
Where to start at your company?
If you want a no-commitment security assessment — what you have right, what's missing, what to prioritize — reach out and we'll schedule the review. I write a report with priority-ranked recommendations and realistic cost for your size.