Top 20 / In priority order

  1. Backup all data with offsite - redundant backup where possible
  2. Security Updates for known vulnerabilities
  3. Business grade firewall under subscription
  4. Next Gen Advanced Endpoint protection
  5. MFA for email access
  6. Control and Protect Physical access to computers/data
  7. Secure Wi-Fi networks
  8. Advanced email threat and Phishing Protection
  9. Evaluate, audit, use MFA, monitor and control any employee remote access to data/systems
  10. Train employees in security principles - Phishing Simulations
  11. Asset reporting and controls for hardware and software
  12. Implement Role-Base Access Control RBAC
  13. Control cloud file sharing
  14. Encrypt sensitive data communications, email, devices that leave the office
  15. Written policies and procedures
  16. Some form of logging, monitoring and alerting (SIEM/SOC)
  17. Workstation permissions lock down - no local admin rights for employees
  18. Host based - threat monitoring
  19. Internal and External Vulnerability scanning
  20. Mobile Device Management and Conditional Access to data