Threat actors are faster, cloud-heavy, and automated. Here is a focused, vendor-neutral checklist we implement for clients in Ghana and the UK.
1) Build on Zero Trust Basics
- Enforce MFA on VPN, email, admin panels, and RDP. SMS is last resort; prefer app-based or hardware keys.
- Segment networks: isolate finance, guest Wi-Fi, and OT/IoT on separate VLANs with ACLs.
- Least-privilege for admins; rotate credentials quarterly and log all privileged actions.
2) Patch with a 15/30 Rhythm
- 15-day SLA for internet-facing systems; 30-day for internal servers and endpoints.
- Automate patch health reports; quarantine machines older than 30 days.
- Watch vendor advisories for Fortinet, Cisco, Microsoft, and Sophos weekly.
3) Backups that Actually Recover
- 3-2-1 rule: 3 copies, 2 media types, 1 offsite/offline (immutable where possible).
- Test restores monthly for critical apps; log RTO/RPO results.
- Encrypt backups in transit and at rest; restrict console access with MFA.
4) Email & Identity Controls
- Enable SPF/DKIM/DMARC for all domains to cut spoofing.
- Condition access: block legacy auth, require compliant devices for admin roles.
- Train staff quarterly with phishing simulations; track click rates.
5) Vendor & Edge Hardening
- Change defaults on routers, firewalls, CCTV, and UPS out of the box.
- Disable unused management services (Telnet, HTTP) and force HTTPS/SSH.
- Export and review firewall change logs weekly; enable geo-blocking where practical.
Quick Wins This Quarter
- Turn on MFA for email, VPN, and admin consoles.
- Segment guest Wi-Fi from production and disable peer-to-peer.
- Run a restore test and document RTO/RPO.
- Patch edge devices and close unused ports exposed to the internet.
Need a fast security posture review?
We benchmark your controls against CIS and vendor best practices, prioritize fixes, and implement them with minimal downtime.
Book a 30-min consult