The security basics that prevent most incidents

Security spending tends to chase sophistication — the threat-hunting platform, the managed detection service, the latest acronym. Yet most incidents that actually happen to ordinary organisations are not sophisticated. They exploit the absence of basic controls. The unglamorous work is where the protection is.

Multi-factor authentication, everywhere

A stolen password is only useful if it is the only thing standing in the way. MFA on every account that touches company data removes the single most common path in. It is the highest-return security control there is, and it is largely free.

Least privilege by default

Most people have access to far more than their role requires, accumulated over years. Every excess permission is a door that does not need to be open. Access should be granted for a reason and removed when the reason ends — especially when someone leaves.

Patching as a routine

The vulnerabilities used in real attacks are usually known and already fixed by the vendor. The exposure is the gap between the fix existing and it being applied. Keeping systems current is dull, continuous work, and it closes most of the window.

Backups you have actually tested

A backup you have never restored from is a hope, not a control. Test restores on a schedule, keep at least one copy out of reach of an attacker who gets in, and know how long recovery actually takes.

Know what you have

You cannot protect an estate you cannot see. An accurate, current inventory of devices, accounts and data is the foundation every other control sits on.

None of this is exciting. All of it works. Get the basics right, consistently, and you remove the ground beneath the large majority of incidents — before spending a penny on anything advanced.