Skip to content
Close
Contact Sales
Contact Sales
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA
Get out of the IT trenches

Municipalities

VC3 has spent the last 29 years making IT
personal, making IT easy, and getting IT
right for over 1,100 municipalities.

Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical
concerns.
Our Partners

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

All Resources
Get Started
14 min read

18 Foundational Cybersecurity Measures Businesses Need in 2025

Subscribe
Foundational Cybersecurity Measures

According to a 2024 Sophos report, hackers continue to evolve their tactics in scary ways. For example:

  • Cybercriminals are taking more advantage of unpatched vulnerabilities as an entry point for attack.
  • Cybercriminals are spending less time inside a network and conducting their attacks more quickly, decreasing their “dwell time”—along with the likelihood you will detect them before they attack.
  • Hackers are getting better at subverting legitimate IT tools (such as Remote Desktop Protocol and Powershell) to conduct attacks.

As a result of these evolving tactics, the foundational security protections that businesses need to defend against cybercriminals have shifted.

To have a fighting chance, you need a layered cybersecurity strategy—one that proactively protects you from cyberattacks, detects cyberattackers if they breach your systems, and allows you to respond and recover effectively from a cyberattack or breach.

If you’re not a technology specialist, understanding if you’ve got the right layers might be hard. You might even have a gut feeling that what you’re doing right now isn’t enough. So, we’re here to help.

Here are 18 foundational cybersecurity measures that small and midsize businesses need in 2025 to protect against today’s (and future) threats.

Cybersecurity Basics For a Strong Foundation

  1. Password Policies and Multi‐Factor Authentication
  2. Security Awareness Training
  3. Antispam
  4. Patch Management
  5. Change Control
  6. Web Filtering
  7. Firewall Management
  8. Encryption
  9. Data Loss Prevention (DLP)
  10. Annual Internal and External Vulnerability Scans
  11. Endpoint Detection and Response (EDR)
  12. Dark Web Monitoring
  13. Managed Detection and Response (MDR)
  14. Security Information and Event Management (SIEM)
  15. Data Backup and Disaster Recovery 
  16. Incident Response
  17. Offsite Log Retention
  18. Cyber Liability Insurance

LAYER 1: PROTECT

1. Password Policies and Multi‐Factor Authentication

According to Verizon’s 2024 Data Breach Investigations Report, about 80 percent of breaches due to hacking involve stolen, lost, or weak passwords. This is mainly because most businesses do not enforce password policies.

A password policy is a specific set of rules that enforces the use of strong passwords. For instance, a password should not be obvious or based on easily found personal information such as birthdays or anniversaries. In addition, strong passwords should consist of a combination of upper- and lower-case letters, symbols, and numbers.

Multi-factor authentication (MFA) has become standard as a means of securing the login process. MFA works by requiring an individual to take an additional step to verify their identity when logging into an account. It works because it’s highly unlikely that a hacker would have both the correct password and the means to complete the next step such as inputting an MFA code received on the employee’s mobile device.

multi-factor-authentication-vector

MFA is so important that Microsoft now enforces conditional access policies that set the criteria for how employees are allowed to log into your network. Their MFA policies are applied to administrative portals, individual users, and high-risk sign-ins (such as an employee logging in from a new device for the first time).

2. Security Awareness Training 

Any IT security professional will tell you that the weakest link in a company’s security is its employees. Hackers use social engineering techniques and phishing to exploit unsuspecting employees, extract sensitive information, and access computers and networks.

To counter such tactics, ongoing employee security awareness training programs formally educate employees who have access to your network about cybersecurity best practices, common security threats, methods cyberattackers use to coax them into allowing a security breach, and ways to actively spot clues that indicate threats.

PhishingReports_02

For best results, security awareness training needs to be a continuous process, included when onboarding new employees and conducted periodically to keep all employees updated about the latest cybersecurity trends. As a manager, the reporting tools will give you high-level and granular views of employee risk points, equipping you with information that you need to provide additional training for specific employees.

🔎 Related: How Email Security Awareness Training Protects Against Phishing Scams

3. Antispam

Antispam tools prevent fraudulent email messages from entering your inbox. Spam emails can appear to be from reputable people or organizations such as an executive at your company or a well-known business like UPS or Amazon. Through social engineering, these messages entice people to click on a link or open an attachment which can download a malware payload or steal user credentials.

With modern antispam software, you can customize settings according to your needs—allowing you to approve any emails erroneously flagged as spam. You also have the option of creating a personal whitelist, allowing specific senders to send you emails and bypass spam filters.

4. Patch Management

Patch management refers to routine software maintenance that closes security vulnerabilities and fixes bugs. Software and application vendors regularly release patches and updates as bugs and vulnerabilities are discovered. Updates can also include software performance improvements, enhancements, and new features.

Cybercriminals actively look for devices and applications running unpatched or out-of-support software so that they can exploit known vulnerabilities. This includes your operating systems and any software that you’re using on your servers, workstations, laptops, and connected devices.

Your IT team should be reviewing, testing, and deploying patches on an ongoing basis.

5. Change Control

Change control policies and procedures are used to manage and regulate changes within your organization’s IT environment. These policies ensure that any alterations to your IT infrastructure, software, hardware, or processes are introduced in a controlled and systematic manner, minimizing risks and ensuring stability and continuity.

These policies require that you understand the repercussions of all changes made to your security equipment and applications. Ask yourself:

  • Who has access to your equipment and applications?
  • What changes can they make?
  • Are there processes in place to ensure that only authorized personnel can make critical changes?

You should only give access necessary for each job function. Many times, a breach could have been prevented simply by limiting access to important equipment and applications. This applies to internal financial controls as well.

6. Web Filtering

When employees browse the internet, it’s easy to make a mistake and access a malicious website. With so many dangers on the internet, employees can inadvertently download harmful software or fall victim to phishing scams, which can compromise sensitive data and disrupt business operations.

Examples include:

  • Typing in the wrong URL to a well-known website.
  • Clicking on a malicious search engine result that looks correct.
  • Accessing websites that employees really shouldn’t access during work hours.

Web filtering tools block access to malicious or inappropriate websites, preventing users from accessing harmful content and helping to enforce acceptable use policies. These tools can also increase overall productivity by minimizing distractions and time spent on social media, streaming services, and other non-essential websites.

7. Firewall management

Firewalls are the primary barrier between your sensitive data and cybercriminals. A firewall examines all incoming and outgoing traffic on your network. It controls this traffic by following sets of rules that determine what is allowed and not allowed—or trusted and not trusted.

Firewalls need active management to ensure that there aren’t any vulnerabilities that cyberattackers can exploit. This includes proper configuration, testing, and regular updates. Employees working from home should also have firewalls on their home network.

8. Encryption

Encryption ensures that sensitive data such as financial records and proprietary information remains confidential. Only authorized parties with the decryption key can access the data, protecting it from unauthorized access.

In the event of a data breach, encrypted data becomes less valuable to cybercriminals because it cannot be easily read or used without the decryption key. This reduces your potential damage from breaches. Encrypting communications, such as emails and instant messages, also ensures that sensitive information remains private and secure, even if intercepted during transmission.

For example, Microsoft 365 is one of the most convenient productivity applications that businesses use. However, the fact that it is hosted online makes it prone to hacks, and this is where Microsoft 365 email encryption helps. The tool has various encryption options you can use to enhance security for emails sent in Microsoft 365. You can also encode any sensitive information you might want to send so that only the intended party can decode it. 

 

9. Data Loss Prevention

Unauthorized people can steal, delete, and corrupt sensitive data. Think about all the different ways data can leave your organization. How would you know if someone accessed critical data they shouldn’t have? And would you know what they did with it?

DLP helps protect sensitive information from unauthorized access, ensuring that confidential data such as customer records, financial details, and intellectual property are not exposed or stolen. DLP tools monitor for unauthorized or suspicious access to data, identifying and preventing unauthorized or accidental data leaks. This proactive approach significantly reduces your risk of data breaches. You may need this tool for compliance.

LAYER 2: DETECT

10. Annual Internal and External Vulnerability Scans

Vulnerability scanning is the process of actively searching for network security issues. Unlike a full penetration test where an ethical hacker manually tries to exploit your vulnerabilities, a vulnerability scan is a tool that scans the surface of your network to uncover weaknesses—resulting in a risk score based on the types of vulnerabilities it finds.

This scan should be conducted annually, at a minimum. While more frequent scanning is preferable, annual scanning for internal and external vulnerabilities will help you set a baseline for your security posture and show progress on your risk profile over time.

A not so fun fact about vulnerability scanning: attackers can use these same tools to find external weaknesses on their victims’ networks. That’s why running these scans regularly and remediating any issues they discover is critical.

11. Endpoint Detection and Response (EDR)

EDR has replaced antivirus software as a baseline standard. Cyberattackers often bypass traditional security measures by using stolen credentials, hijacking legitimate IT programs, and remaining undetected for long periods of time within an organization’s network. Antivirus doesn’t have the ability to effectively detect threats from cyberattackers that use such methods. Without EDR, threats such as zero-day exploits, ransomware, fileless malware, and anomalous behavior can go undetected.

EDR_Infographic

Think of EDR as the new antivirus—essential and usually required if you want cyber insurance. It’s powered by Artificial Intelligence (AI) that studies your network, detects and stops activity based on anomalous behavior, and sends you an alert when something looks suspicious. If you’re only defending against known threats, you’ll always be behind.

For example, if a threat is found on your computer, an EDR tool can cut your computer off from your organization’s network—preventing further spread of a dangerous virus. The tool focuses on “endpoint devices”—a fancy name for a specific server or computer. It can be deployed, run in an automated fashion, and enhance the level of security protection for an organization at a low cost—ensuring that even the most elusive and sophisticated threats are identified before they can cause significant damage.

EDR should be deployed on all devices connected to your network, from workstations and laptops to tablets and Internet of Things (IoT) devices.

12. Dark Web Monitoring

Dark web monitoring is often used to help businesses detect if their sensitive data, such as customer information, employee details, financial records, or intellectual property, has been compromised and is being sold or shared on the dark web. As a cybersecurity best practice, it’s important that IT professionals monitor the dark web in case account credentials (such as administrative passwords) appear on the black market.

Awareness that compromised data exists on the dark web allows you to proactively change compromised passwords, disable unused accounts, and implement proactive measures. Early detection allows for a quicker response to mitigate damage.

13. Managed Detection and Response (MDR)

When you hear about MDR, it’s usually describing the 24/7 work of a security team actively monitoring IT systems for threats. It’s a strategy where a security team proactively looks for cyberthreats across your servers, computers, and entire IT network—specifically looking for threats that may have already gotten inside your systems by watching for behavior and activity that looks suspicious. Once you identify a possible threat, you can take action.

14. Security Information and Event Management (SIEM)

SIEM identifies the most important and critical security alerts received from different systems, collects log files from different sources (servers, firewalls, VPN, email, cloud services, EDR, etc.), and identifies anomalies such as a user logging in from another country. By collecting and analyzing security data from various sources to detect and respond to threats, SIEM provides real-time analysis of security alerts and incidents.

As security logs are created, they can send out automated alerts when there’s something suspicious. For example, a login attempt from a specific geographical location could mean a hacker is trying to force a password. Another example is an excessive use of computing power, signaling that the computer has possibly been commandeered into a botnet.

LAYER 3: RESPOND (AND RECOVER)

15. Data Backup and Disaster Recovery 

If hackers manage to penetrate your security perimeter and processes, you need to have a contingency plan. Data backup and disaster recovery is an essential component of your response that affects your ability to recover after a cyberattack. It’s now also a basic requirement for cyber insurance.

A data backup and disaster recovery plan requires:

  • Onsite and offsite backups
  • Backups located separate from places where employees typically access data and files for day-to-day work
  • Immutable backups that remain unchanged and cannot be tampered with, either accidentally or maliciously
  • Periodic testing to ensure your backups work
  • Monitoring for issues

Base your backup plan on what data you need to resume operations and how long you can afford to be down. These are known as your recovery points.

🔎 Related: Recovery Time Objective (RTO) & Recovery Point Objective (RPO): 2 Most Critical Parts of Your Disaster Recovery Plan

16. Incident Response

An absence of a well-defined incident response plan can result in chaotic and inefficient responses to cyber threats, prolonging downtime and increasing the impact of attacks. Create a detailed incident response plan (or refine your current plan) by outlining the steps you must take in the event of a security breach.

An incident response plan covers:

  • How you will respond to a cyber incident
  • Who will respond
  • Planning and testing your plan long before an incident happens

Conduct regular drills to ensure that staff are familiar with the incident response procedures and can act quickly in an emergency. Developing a plan detailing how you will respond to a cyberattack helps you react to an incident with “muscle memory”—like a fire drill.

17. Offsite Log Retention

Your Windows operating system has the ability to keep a record of all the activity that takes place on your computer. Network administrators use some of the information gathered to monitor and tweak performance, while some data is related to security.

Logging is essential evidence related to cyber incidents. Without this data, you will be unable to analyze the full nature of a cyberattack, deduce the source of the attack, and remediate effectively. You need logging to see how your data has been impacted and if critical data has been exfiltrated.

 

18. Cyber Liability Insurance

You’re probably thinking, “If I’ve implemented all of the appropriate security measures to protect my data, do I need cyber liability insurance?” Fair question. Our advice is: yes.

Cybercrime is on the rise, and we’re fighting an uphill battle. Bad actors are constantly developing new ways to break into your systems. You don’t want one unintentional click to be the reason why you’re out hundreds of thousands of dollars or, worse, out of business.

When you need it, you’ll be thankful to have cyber liability insurance available to cover remediation costs, reputation management costs, potential ransom payments, legal fees, and the many other costs you may encounter in the wake of a cyberattack.

Strategically Combine Layers for Best Cybersecurity

While this article describes many cybersecurity tactics, the way they’re combined makes a big difference in their effectiveness. You can’t just cobble together a bunch of tools and hope for the best. Instead, when you have experts at the helm, you’ll get your best protection, determining what technology tools will create a strong defense and supporting them with non-technical policies that guide employee behavior.

--

It can be challenging for a small IT support team to manage cybersecurity for businesses. Cybersecurity is a specialized expertise that’s different from traditional IT management.

VC3 is an MSSP and managed IT service provider. We partner with companies to create a security strategy that meets evolving cyber risks. Contact us and we’ll get you the information you need to evaluate your current security measures properly.

Related: Managed Services Provider (MSP) vs Managed Security Services Provider (MSSP): What’s the Difference?
Nov 4, 2024

VC3

Let's talk about how VC3 can help you AIM higher.