The 8 Things Security Experts Say You Should Do This Week

ENISA just published a 73-page playbook on SME cybersecurity. It’s thorough… but let’s be real: who actually reads the whole thing? (still a draft at ENISA playbook). And I always fall for that kind of literature.

The Security Brutalist (of whom I’m a huge fan, check him out at securitybrutalist.com), boiled it all down to 8 things. These aren’t complicated. They’re just not fun. That’s why people skip them.

The 8 Things #

1. Patch like a maniac. Critical vulns within days, not months. If it’s internet-facing and unpatched, treat it like it’s already compromised.

2. MFA everywhere. No exceptions: email, VPN, admin portals… If it can support MFA, it must have it. If it can’t, isolate it.

3. Kill local admin rights. Your executives don’t need admin rights to open PowerPoint. But malware loves this kind of privilege.

4. Log like you mean it. If it’s not logged, it didn’t happen. Build your detections like you’re under attack right now.

5. Backup like a paranoid historian. Regular, encrypted, tested backups. Test restores quarterly. If it hasn’t been tested, it’s not a backup, it’s a liability.

6. Least privilege everywhere. Design access like you distrust everyone. Because you should.

7. Training that doesn’t suck. Ditch the click-through eLearning. Do live demos. Show real consequences.

8. Inventory or die. You can’t secure what you don’t know exists. Surprises are where breaches begin.

The Catch #

Doing these 8 things won’t prevent a crisis. They’ll just give you (much) better tools when it hits.

What they won’t give you is the ability to make decisions under pressure. That’s a different muscle.

You can have perfect patching and still face a crisis where your team freezes. You can have flawless MFA and still need to decide: do we pay the ransom? Who makes that call? What do we tell the board?

These are human decisions. No tool can practice them for you.

Where to Start #

Pick one. Just one.

If you’re not sure which, start with number 7. The humans are always the variable. Train them right, and they’ll handle the rest.

Or, if you want to find out how your team actually makes decisions under pressure, that’s what we do. We run crisis simulation games that test the human part that tools can’t touch.

Which one are you working on this week?

CrisisGames. Kaos approved.