The 10 Most Critical IT Security Protections

Every Business Must Have in Place Now to Protect Themselves from Cybercrime, Data Breaches, and Hacker Attacks

Larry Burbano

Larry Burbano has more than 20 years of experience as an information technology (IT) expert. He is the founder and CEO of GRS Technology Solutions, an IT consulting and cybersecurity firm that has been supporting small and medium-sized businesses in the Washington, DC, area since 2008. GRS provides high-end, enterprise-level managed IT solutions, including cybersecurity and compliance solutions, cloud services, IT management, help desk support services, and technology strategy. The company brings innovative security and compliance capabilities to the market and helps customers achieve business goals through cloud-based technologies aligned to cybersecurity best practices. He has consulted with more 300 businesses of varying sizes and industries in the Washington, DC, region. For more information, visit or email

November 1, 2022

No industry is safe from cyberattacks, but sectors that are only recently transitioning to digital processes are especially vulnerable. Reports show that construction and contracting businesses were among the top industries to be hit by cybercrime in 2021.1

No matter the size of a business, anyone can be a target. To prevent your company from cybercrime, it is important to implement strong cybersecurity measures, but they can only be effective if each one of your employees follows them.

Human error or ignorance is one of the top reasons data breaches occur, which is why educating your employees about cybersecurity best practices is crucial.

Here are the most important practices you and your employees need to know now.

1. Use Strong Passwords

Using strong passwords is among the simplest but most effective ways to boost your company’s cybersecurity. Research shows that 68% of Americans use the same password for multiple accounts,2 making it easier for cybercriminals to access sensitive information.

You should use passwords that are eight characters or longer and contain a mix of letters, numbers, and symbols. It is best to avoid using personal information, such as your date of birth or your mother’s maiden name.

One good tip is that you can create a unique password by replacing some of the letters with
symbols or numbers in a phrase or song lyric. For example, the phrase “I want to go to the beach” can become “1W4nt2g0t0th3b34ch!”

2. Enable Two-Factor Authentication

Two-factor authentication (2FA) is an additional layer of security that requires users to provide two pieces of information before accessing an account. The first factor is typically something the user knows, like a password, and the second factor is something the user has, like a physical token or a code sent to their phone.

With 2FA in place, even if an attacker manages to guess or obtain a password, they will be unable to access the account without using the second factor. This makes it much more difficult for them to infiltrate sensitive data.

Most accounts, software, and applications offer the 2FA option, so make sure to enable it whenever possible.

3. Avoid Opening Questionable Emails and Links

Cybercriminals often gain access to company networks through “phishing” emails (described in more detail later in this article). These are messages that appear to come from a legitimate source, but they contain malicious links or attachments. Once an employee clicks on them, they can introduce malware into your system.

It is important to instruct employees not to open emails from unknown senders or those with suspicious subject lines. Be cautious before clicking on links or downloading any attachments unless you are sure they are safe.

A good habit to practice is to check the sender’s email address. If it is not one you recognize, you should NOT open it. You can also hover your cursor over any links to see where they lead before clicking on them. Additionally, if you found the email in your spam folder, chances are it is not safe.

4. Update Your Software

Another way to keep your company safe is to update your software regularly. Outdated software is one of the main reasons companies get hacked.

When new versions of programs are released, they usually come with security patches that fix any vulnerabilities in the previous version. If you do not update all the software you use, you are essentially leaving your system open for attack.

Take Zoom’s recent update for Mac, for example. The company warned Mac users to immediately update their Zoom software to prevent hackers from exploiting a bug that lets them take control of the whole operating system.3

5. Do Not Connect to Public Wi-Fi

Public Wi-Fi is one of the biggest cybersecurity threats out there. When you connect to a public network, you are putting your data at risk of being intercepted by hackers. This is because public Wi‑Fi networks are usually unencrypted, meaning anyone can access them.

If you must use public Wi-Fi, avoid doing sensitive activities like online banking or accessing confidential company documents. If it is unavoidable, make sure you have a virtual private network (VPN) installed on your device. A VPN is a security tool that encrypts your data and hides your IP address, protecting your data from hackers.

You can get a VPN for free online, but it is worth investing in a paid one for the extra security features.

6. Back up Your Files

A crucial part of protecting your data is to back it up regularly. Backing up refers to making
copies of your data and storing it in a safe place. If your system is ever compromised, you will have a copy of all your important files.

Canadian company Bird Construction fell victim to a ransomware attack in 2020.4 Hackers locked 60 GB of data and demanded around 9 million in cryptocurrency in exchange. Such a breach could not only cause huge financial damages but also halt operations, as you would not be able to access important files for weeks.

Although backups will not prevent data breaches from happening, they can help you minimize the damage and resume operations as soon as possible.

You can back up your data in various ways, such as using an external hard drive or cloud storage service. Whatever method you choose, ensure that your backup files are stored in a secure location.

7. Enable Firewall Protection at Work and at Home

A firewall is a critical first line of defense against cyberattacks. It is a system that helps control incoming and outgoing traffic, based on a set of rules. This means users who are not authorized cannot access your network, and malware or other malicious traffic is blocked from entering.

If you do not already have a firewall, now is the time to get one—both for your company and at home. There are many types of firewalls available, so it is important to do your research, consult with your IT department, and choose the one that best suits your needs.

Hardware vs. Software vs. Cloud Firewalls

There are three main methods of firewall delivery: hardware, software, and cloud.

  • Hardware firewalls are physical devices installed between your network and the Internet. They are typically more expensive than software firewalls, but they offer better protection because they can inspect traffic at a lower level.
  • Software firewalls, on the other hand, are programs that run on computers or servers and act as a barrier between your network and outside traffic. While not as effective as hardware firewalls, they are a good option for small businesses or companies that cannot afford a hardware firewall.
  • Cloud firewalls are delivered via the cloud and can be used to protect entire networks. The “cloud” refers to servers that are accessed over the Internet. Cloud firewalls can offer greater flexibility and scalability than other kinds of firewalls.

8. Embrace Education and Training

Even with technical safeguards in place, it is employees who ultimately risk exposing a business to ransomware. User error, such as clicking on an infected online advertisement, pop-up window, or attachment in a spam email, is often to blame for inviting ransomware into a computer. So, users are the most important line of defense.

Talk with your employees about ransomware, and educate them on what it is and how they can help defend the business.

As a best practice, you should require all new employees to complete such training and offer it on an ongoing basis to avoid information being missed. If you do not have the resources to put this type of training together, talk to your IT service provider. They should be able to run a program like this for you or provide other educational materials.

9. Create and Enforce Policies

Many successful small and medium-sized businesses have developed formal, documented IT security policies to govern operations both in their offices and in the field. These policies educate employees and guide behavior, in addition to protecting the business and ensuring compliance with regulations.

10. Invest in Cybersecurity Services

Cybersecurity should be one of your top priorities; hence, a portion of the company budget should be dedicated to cybersecurity services. These services will help you keep your systems and data safe from attacks, as well as keeping your data protected.

The Most Common Types of Cyberattacks

Part of educating your employees about cybersecurity is teaching them about the different types of cybercrime so they will be able to identify red flags and know what to do if they encounter something suspicious.

Below is a list of some of the most common forms of cyberattacks.


Phishing is a social engineering attack in which criminals pose as a legitimate entity to try and steal sensitive information. A sender of a malicious email intends to deceive a victim by making the email seem important and from a reputable source. These phishing emails may include harmful attachments, like PDFs or Word documents, which, once opened, can cause harm to the user’s computer by installing forms of malware, ransomware, or other unsavory software.

Phishing emails also can contain malicious links in the body of the message that can lead a user to a fraudulent site. These sites are used to collect confidential information such as usernames and passwords, or to install malware onto a device. Once the victim’s information has been obtained, scammers will monetize the data by selling it to the highest bidder on Dark Web sites.


Malware is software that is designed to damage or disable computers. Many types of malware exist, including viruses, worms, Trojan horses, and ransomware.

Malware is commonly spread through email attachments, infected websites, removable media, and more. Once malware finds its way into a system, it can do anything from stealing data to deleting files. In some cases, it can even take over the entire system.

Password Attacks

There are many types of password attacks, but the most common ones are brute force and dictionary attacks.

A brute force attack happens when a criminal tries to guess the password by trying every possible combination of characters.

A dictionary attack is similar, but instead of trying every possible combination, the attacker uses a list of words that are likely to be used as passwords.


Spyware is another malicious software designed to collect information about a user without their knowledge. It can be used to track a person’s web browsing habits, steal sensitive information like passwords and credit card numbers, and even record conversations.


With cybercrime becoming an increasingly serious threat, it is not a question of if businesses need security but a question of what level of security they need. Keeping this in mind, you should reach out to your IT service provider about data security to make sure your business is properly protected.

It is also important to start educating your employees as soon as possible, because new cyber threats emerge every day. Be proactive and start talking about cybersecurity now instead of waiting until after your company experiences a data breach or malware infection. Don’t wait until it is too late!


For more information, visit or email