Security essentials
The Layer-1 Security Checklist
The essential first layer of security every company and business needs, even a mid-size or small one. Drawn from recognized baselines (CIS Controls, Essential Eight) and the latest 2026 threat reports, these are the basics you need to take seriously.
Prefer to skip ahead? Leave your email or WhatsApp number and we'll set up a quick call to go through this with you.
Layer 1: the 9 essential checks
- 1Identities + strong MFATurn on multi-factor authentication everywhere, and prefer passkeys where you can. Identity is the #1 way attackers get in.
- 2Email protectionDefend against phishing and AI-generated impersonation. The most common first step of an attack.
- 3Close internet exposuresDon't leave servers, admin panels or forgotten services open to the internet. Put public sites and apps behind a CDN/WAF with DDoS protection, such as Cloudflare.
- 4Secure APIs & remote accessCheck tokens, exposed endpoints, and remote-access services that face outside.
- 5Patch systems, apps & dependenciesKeep operating systems, applications and third-party code current. Unpatched software is a top path into a business.
- 6Endpoint & device protectionAnti-malware, disk encryption and auto-lock on every laptop and phone. A lost or infected device shouldn't become a breach.
- 7Backups + tested recoveryA backup you've never restored isn't a backup. Test that recovery actually works.
- 8Least-privilege permissionsGive users and admins only the access they need. Nothing more.
- 9Team awarenessOne click is all it takes. A short, practical staff briefing pays for itself.
Aligned with recognized baselines (CIS Controls, ASD Essential Eight, UK Cyber Essentials) and 2026 threat reports from Microsoft, IBM, CrowdStrike and Radware.
The basics reduce many common risks. Not all of them.
We help with both: closing these basics properly, and taking it deeper when you need to. Once the fundamentals are covered, there is a layer these checks do not reach: design flaws, business-logic gaps, chained vulnerabilities, or whether a control actually holds under a real attacker. That only surfaces with secure code review, threat modeling and periodic penetration testing, the layer we specialize in.
Want a second opinion on where you stand?
Leave a way to reach you and we'll set up a short call to go through it together.