Security essentials

The Layer-1 Security Checklist

The essential first layer of security every company and business needs, even a mid-size or small one. Drawn from recognized baselines (CIS Controls, Essential Eight) and the latest 2026 threat reports, these are the basics you need to take seriously.

Prefer to skip ahead? Leave your email or WhatsApp number and we'll set up a quick call to go through this with you.

We use your details only to reply, never for marketing. Privacy Policy

Layer 1: the 9 essential checks

  1. 1
    Identities + strong MFA
    Turn on multi-factor authentication everywhere, and prefer passkeys where you can. Identity is the #1 way attackers get in.
  2. 2
    Email protection
    Defend against phishing and AI-generated impersonation. The most common first step of an attack.
  3. 3
    Close internet exposures
    Don't leave servers, admin panels or forgotten services open to the internet. Put public sites and apps behind a CDN/WAF with DDoS protection, such as Cloudflare.
  4. 4
    Secure APIs & remote access
    Check tokens, exposed endpoints, and remote-access services that face outside.
  5. 5
    Patch systems, apps & dependencies
    Keep operating systems, applications and third-party code current. Unpatched software is a top path into a business.
  6. 6
    Endpoint & device protection
    Anti-malware, disk encryption and auto-lock on every laptop and phone. A lost or infected device shouldn't become a breach.
  7. 7
    Backups + tested recovery
    A backup you've never restored isn't a backup. Test that recovery actually works.
  8. 8
    Least-privilege permissions
    Give users and admins only the access they need. Nothing more.
  9. 9
    Team awareness
    One click is all it takes. A short, practical staff briefing pays for itself.

Aligned with recognized baselines (CIS Controls, ASD Essential Eight, UK Cyber Essentials) and 2026 threat reports from Microsoft, IBM, CrowdStrike and Radware.

The basics reduce many common risks. Not all of them.

We help with both: closing these basics properly, and taking it deeper when you need to. Once the fundamentals are covered, there is a layer these checks do not reach: design flaws, business-logic gaps, chained vulnerabilities, or whether a control actually holds under a real attacker. That only surfaces with secure code review, threat modeling and periodic penetration testing, the layer we specialize in.

Want a second opinion on where you stand?

Leave a way to reach you and we'll set up a short call to go through it together.

Leave your details
So we can set up a quick call

We use your details only to reply, never for marketing. Privacy Policy

Connect on LinkedIn
linkedin.com/company/amifirm