Your Complete IT Security Action Plan
Your Complete IT Security Action Plan

Photo by Jakub Zerdzicki on Pexels
You have learned the five pillars of IT security: phishing recognition, MFA, backups, network security, and security policies. Now it is time to put it all together into a concrete action plan for your business.
This Week (Days 1-7)
These are the highest-impact actions you can take immediately, most of them free:
- Enable MFA on your email accounts — Microsoft 365 or Google Workspace. This single action blocks 99.9% of automated attacks. Time: 10 minutes per user
- Change default router passwords — If your router still has the default password, change it now. Time: 5 minutes
- Check if RDP is exposed to the internet — Visit https://www.shodan.io and search for your public IP. If port 3389 is open, close it immediately and set up VPN access. Time: 15 minutes
- Send a phishing awareness email to your team — Forward this course link or send a short reminder about phishing red flags. Time: 10 minutes
- Update all operating systems — Run Windows Update on every computer and server. Install all critical and security updates. Time: 30 minutes
This Month (Days 8-30)
These actions require more planning but are still achievable in a month:
- Implement a password manager — Set up Bitwarden (free) or 1Password ($7.99/user/month). Add all employees. Import existing passwords. Time: 2-3 hours
- Set up VPN for remote access — Install WireGuard or Tailscale (free). Remove any direct RDP exposure. Time: 2-4 hours
- Configure DNS filtering — Switch your router DNS to Cloudflare Gateway or Quad9 (free). Time: 15 minutes
- Test your backups — Restore 5 random files from your most recent backup. Verify they open correctly. Document the results. Time: 30 minutes
- Write your Acceptable Use Policy — Use the template from this course. Have all employees sign it. Time: 1 hour
- Review employee access — List who has access to what. Remove access for former employees or contractors who still have accounts. Time: 1-2 hours
- Run a phishing simulation — Send a fake phishing email to your team using GoPhish (free). See who clicks. Provide immediate, non-punitive training. Time: 2 hours
This Quarter (Days 31-90)
These are the larger projects that secure your business for the long term:
- Upgrade to a hardware firewall — If you are using a consumer router, upgrade to a pfSense box ($200-400) or a business-grade firewall. Configure IDS/IPS and DNS filtering. Time: 1-2 days
- Implement network segmentation — Set up VLANs for business, guest, and management networks. Time: 1 day
- Perform a full backup restore test — Restore your entire server or critical data set to a test environment. Verify everything works. Document the recovery time. Time: 4-8 hours
- Write your Incident Response Plan — One page. Who to call, what to do first, how to contain. Keep a printed copy offsite. Time: 2 hours
- Conduct monthly security training — 10-minute monthly sessions with your team. Cover one topic per month. Track attendance. Time: 10 minutes/month
- Audit software subscriptions — List every software subscription. Cancel unused ones. Typical savings: $2,000-$10,000/year. Time: 2 hours
- Assess cyber insurance needs — If you do not have cyber insurance, get quotes. If you do, verify your coverage matches the 7 requirements covered in this course. Time: 2 hours
Security Is a Process, Not a Project
Security is not something you do once and forget. Threats evolve, new vulnerabilities are discovered, and businesses change. Schedule quarterly reviews of your security posture:
- Review access permissions — who has access, is it still needed?
- Check for new devices on the network — are they authorized?
- Review backup test results — any failures or gaps?
- Check for expired certificates and passwords
- Review phishing simulation results — is click rate trending down?
- Update your incident response plan with lessons learned
When to Get Professional Help
Some security tasks require expertise that most small businesses do not have in-house. Consider professional help for:
- Network setup and firewall configuration — If you are not comfortable configuring VLANs, firewall rules, and VPNs
- Backup implementation — If you need help designing a 3-2-1 backup strategy that works for your specific environment
- Security assessment — A professional audit identifies gaps you may not see
- Incident response — If you experience a breach, professional help can minimize damage and speed recovery
- Compliance requirements — If you need to meet HIPAA, CMMC, or PCI requirements
Need Help Implementing This?
Beawit Consulting specializes in helping small businesses implement practical IT security. We do not sell expensive software — we help you use the right tools effectively. From MFA setup to full network security assessments, we can help.
Visit beawit.net or call 360-399-6834 for a free consultation.
Thank you for completing this course. Take the final quiz to test your knowledge and earn your certificate.
— JC Beasley, Beawit Consulting LLC
Your Complete IT Security Action Plan
You have learned the five pillars of IT security: phishing recognition, MFA, backups, network security, and security policies. Now it is time to put it all together into a concrete action plan for your business.
This Week (Days 1-7)
These are the highest-impact actions you can take immediately, most of them free:
- Enable MFA on your email accounts — Microsoft 365 or Google Workspace. This single action blocks 99.9% of automated attacks. Time: 10 minutes per user
- Change default router passwords — If your router still has the default password, change it now. Time: 5 minutes
- Check if RDP is exposed to the internet — Visit https://www.shodan.io and search for your public IP. If port 3389 is open, close it immediately and set up VPN access. Time: 15 minutes
- Send a phishing awareness email to your team — Forward this course link or send a short reminder about phishing red flags. Time: 10 minutes
- Update all operating systems — Run Windows Update on every computer and server. Install all critical and security updates. Time: 30 minutes
This Month (Days 8-30)
These actions require more planning but are still achievable in a month:
- Implement a password manager — Set up Bitwarden (free) or 1Password ($7.99/user/month). Add all employees. Import existing passwords. Time: 2-3 hours
- Set up VPN for remote access — Install WireGuard or Tailscale (free). Remove any direct RDP exposure. Time: 2-4 hours
- Configure DNS filtering — Switch your router DNS to Cloudflare Gateway or Quad9 (free). Time: 15 minutes
- Test your backups — Restore 5 random files from your most recent backup. Verify they open correctly. Document the results. Time: 30 minutes
- Write your Acceptable Use Policy — Use the template from this course. Have all employees sign it. Time: 1 hour
- Review employee access — List who has access to what. Remove access for former employees or contractors who still have accounts. Time: 1-2 hours
- Run a phishing simulation — Send a fake phishing email to your team using GoPhish (free). See who clicks. Provide immediate, non-punitive training. Time: 2 hours
This Quarter (Days 31-90)
These are the larger projects that secure your business for the long term:
- Upgrade to a hardware firewall — If you are using a consumer router, upgrade to a pfSense box ($200-400) or a business-grade firewall. Configure IDS/IPS and DNS filtering. Time: 1-2 days
- Implement network segmentation — Set up VLANs for business, guest, and management networks. Time: 1 day
- Perform a full backup restore test — Restore your entire server or critical data set to a test environment. Verify everything works. Document the recovery time. Time: 4-8 hours
- Write your Incident Response Plan — One page. Who to call, what to do first, how to contain. Keep a printed copy offsite. Time: 2 hours
- Conduct monthly security training — 10-minute monthly sessions with your team. Cover one topic per month. Track attendance. Time: 10 minutes/month
- Audit software subscriptions — List every software subscription. Cancel unused ones. Typical savings: $2,000-$10,000/year. Time: 2 hours
- Assess cyber insurance needs — If you do not have cyber insurance, get quotes. If you do, verify your coverage matches the 7 requirements covered in this course. Time: 2 hours
Security Is a Process, Not a Project
Security is not something you do once and forget. Threats evolve, new vulnerabilities are discovered, and businesses change. Schedule quarterly reviews of your security posture:
- Review access permissions — who has access, is it still needed?
- Check for new devices on the network — are they authorized?
- Review backup test results — any failures or gaps?
- Check for expired certificates and passwords
- Review phishing simulation results — is click rate trending down?
- Update your incident response plan with lessons learned
When to Get Professional Help
Some security tasks require expertise that most small businesses do not have in-house. Consider professional help for:
- Network setup and firewall configuration — If you are not comfortable configuring VLANs, firewall rules, and VPNs
- Backup implementation — If you need help designing a 3-2-1 backup strategy that works for your specific environment
- Security assessment — A professional audit identifies gaps you may not see
- Incident response — If you experience a breach, professional help can minimize damage and speed recovery
- Compliance requirements — If you need to meet HIPAA, CMMC, or PCI requirements
Need Help Implementing This?
Beawit Consulting specializes in helping small businesses implement practical IT security. We do not sell expensive software — we help you use the right tools effectively. From MFA setup to full network security assessments, we can help.
Visit beawit.net or call 360-399-6834 for a free consultation.
Thank you for completing this course. Take the final quiz to test your knowledge and earn your certificate.
— JC Beasley, Beawit Consulting LLC
There are no comments for now.