The Cybersecurity Basics Too Many Organisations Still Skip

Advanced threat detection is irrelevant if the fundamentals are not in place. This piece covers the security controls that protect the majority of organisations from the majority of threats.

The cybersecurity conversation in most organisations focuses on sophisticated threats — advanced persistent threats, zero-day exploits, nation-state actors. These are real, but they are not what most organisations need to defend against first. The majority of successful attacks exploit basic, preventable vulnerabilities.

Multi-factor authentication

A significant proportion of successful account compromises could have been prevented by multi-factor authentication. Email accounts, administrative systems, and remote access tools that rely on passwords alone are exposed. MFA implementation is low-cost, operationally straightforward, and eliminates one of the most common attack vectors entirely.

Patching

Unpatched software is responsible for a disproportionate share of successful intrusions. The challenge is not technical — patches exist for most known vulnerabilities within days. The challenge is operational: organisations do not have a structured patching schedule, and updates accumulate until they become a project rather than a routine. A monthly patching cadence applied consistently eliminates most of the exposure that unpatched systems create.

Access control

Many organisations operate with significantly more permissive access controls than their policies require. Employees have administrative rights they do not need. Former staff retain active credentials. Vendors have persistent access to systems they no longer support. A structured access review — conducted annually at minimum — reduces the attack surface without affecting operations.

Backup integrity

Ransomware attacks are only effective if the target cannot restore from backup. Most organisations that pay ransom do so because their backup systems were either not functioning, not current, or were encrypted alongside the primary systems. Backups that are isolated from the primary network, tested quarterly, and stored in at least two locations eliminate ransomware as an existential risk.

None of these controls are complex. They are all well-established, cost-effective, and implementable without specialist expertise if the process is disciplined. The organisations that get compromised most frequently are not the ones facing the most sophisticated attackers — they are the ones that have not implemented the basics.