Skip to Content

Your Complete IT Security Action Plan

Your Complete IT Security Action Plan

checklist action plan business

Photo by Jakub Zerdzicki on Pexels

You have learned the five pillars of IT security: phishing recognition, MFA, backups, network security, and security policies. Now it is time to put it all together into a concrete action plan for your business.

This Week (Days 1-7)

These are the highest-impact actions you can take immediately, most of them free:

  1. Enable MFA on your email accounts — Microsoft 365 or Google Workspace. This single action blocks 99.9% of automated attacks. Time: 10 minutes per user
  2. Change default router passwords — If your router still has the default password, change it now. Time: 5 minutes
  3. Check if RDP is exposed to the internet — Visit https://www.shodan.io and search for your public IP. If port 3389 is open, close it immediately and set up VPN access. Time: 15 minutes
  4. Send a phishing awareness email to your team — Forward this course link or send a short reminder about phishing red flags. Time: 10 minutes
  5. Update all operating systems — Run Windows Update on every computer and server. Install all critical and security updates. Time: 30 minutes

This Month (Days 8-30)

These actions require more planning but are still achievable in a month:

  1. Implement a password manager — Set up Bitwarden (free) or 1Password ($7.99/user/month). Add all employees. Import existing passwords. Time: 2-3 hours
  2. Set up VPN for remote access — Install WireGuard or Tailscale (free). Remove any direct RDP exposure. Time: 2-4 hours
  3. Configure DNS filtering — Switch your router DNS to Cloudflare Gateway or Quad9 (free). Time: 15 minutes
  4. Test your backups — Restore 5 random files from your most recent backup. Verify they open correctly. Document the results. Time: 30 minutes
  5. Write your Acceptable Use Policy — Use the template from this course. Have all employees sign it. Time: 1 hour
  6. Review employee access — List who has access to what. Remove access for former employees or contractors who still have accounts. Time: 1-2 hours
  7. Run a phishing simulation — Send a fake phishing email to your team using GoPhish (free). See who clicks. Provide immediate, non-punitive training. Time: 2 hours

This Quarter (Days 31-90)

These are the larger projects that secure your business for the long term:

  1. Upgrade to a hardware firewall — If you are using a consumer router, upgrade to a pfSense box ($200-400) or a business-grade firewall. Configure IDS/IPS and DNS filtering. Time: 1-2 days
  2. Implement network segmentation — Set up VLANs for business, guest, and management networks. Time: 1 day
  3. Perform a full backup restore test — Restore your entire server or critical data set to a test environment. Verify everything works. Document the recovery time. Time: 4-8 hours
  4. Write your Incident Response Plan — One page. Who to call, what to do first, how to contain. Keep a printed copy offsite. Time: 2 hours
  5. Conduct monthly security training — 10-minute monthly sessions with your team. Cover one topic per month. Track attendance. Time: 10 minutes/month
  6. Audit software subscriptions — List every software subscription. Cancel unused ones. Typical savings: $2,000-$10,000/year. Time: 2 hours
  7. Assess cyber insurance needs — If you do not have cyber insurance, get quotes. If you do, verify your coverage matches the 7 requirements covered in this course. Time: 2 hours

Security Is a Process, Not a Project

Security is not something you do once and forget. Threats evolve, new vulnerabilities are discovered, and businesses change. Schedule quarterly reviews of your security posture:

  • Review access permissions — who has access, is it still needed?
  • Check for new devices on the network — are they authorized?
  • Review backup test results — any failures or gaps?
  • Check for expired certificates and passwords
  • Review phishing simulation results — is click rate trending down?
  • Update your incident response plan with lessons learned

When to Get Professional Help

Some security tasks require expertise that most small businesses do not have in-house. Consider professional help for:

  • Network setup and firewall configuration — If you are not comfortable configuring VLANs, firewall rules, and VPNs
  • Backup implementation — If you need help designing a 3-2-1 backup strategy that works for your specific environment
  • Security assessment — A professional audit identifies gaps you may not see
  • Incident response — If you experience a breach, professional help can minimize damage and speed recovery
  • Compliance requirements — If you need to meet HIPAA, CMMC, or PCI requirements

Need Help Implementing This?

Beawit Consulting specializes in helping small businesses implement practical IT security. We do not sell expensive software — we help you use the right tools effectively. From MFA setup to full network security assessments, we can help.

Visit beawit.net or call 360-399-6834 for a free consultation.

Thank you for completing this course. Take the final quiz to test your knowledge and earn your certificate.

— JC Beasley, Beawit Consulting LLC

Your Complete IT Security Action Plan

You have learned the five pillars of IT security: phishing recognition, MFA, backups, network security, and security policies. Now it is time to put it all together into a concrete action plan for your business.

This Week (Days 1-7)

These are the highest-impact actions you can take immediately, most of them free:

  1. Enable MFA on your email accounts — Microsoft 365 or Google Workspace. This single action blocks 99.9% of automated attacks. Time: 10 minutes per user
  2. Change default router passwords — If your router still has the default password, change it now. Time: 5 minutes
  3. Check if RDP is exposed to the internet — Visit https://www.shodan.io and search for your public IP. If port 3389 is open, close it immediately and set up VPN access. Time: 15 minutes
  4. Send a phishing awareness email to your team — Forward this course link or send a short reminder about phishing red flags. Time: 10 minutes
  5. Update all operating systems — Run Windows Update on every computer and server. Install all critical and security updates. Time: 30 minutes

This Month (Days 8-30)

These actions require more planning but are still achievable in a month:

  1. Implement a password manager — Set up Bitwarden (free) or 1Password ($7.99/user/month). Add all employees. Import existing passwords. Time: 2-3 hours
  2. Set up VPN for remote access — Install WireGuard or Tailscale (free). Remove any direct RDP exposure. Time: 2-4 hours
  3. Configure DNS filtering — Switch your router DNS to Cloudflare Gateway or Quad9 (free). Time: 15 minutes
  4. Test your backups — Restore 5 random files from your most recent backup. Verify they open correctly. Document the results. Time: 30 minutes
  5. Write your Acceptable Use Policy — Use the template from this course. Have all employees sign it. Time: 1 hour
  6. Review employee access — List who has access to what. Remove access for former employees or contractors who still have accounts. Time: 1-2 hours
  7. Run a phishing simulation — Send a fake phishing email to your team using GoPhish (free). See who clicks. Provide immediate, non-punitive training. Time: 2 hours

This Quarter (Days 31-90)

These are the larger projects that secure your business for the long term:

  1. Upgrade to a hardware firewall — If you are using a consumer router, upgrade to a pfSense box ($200-400) or a business-grade firewall. Configure IDS/IPS and DNS filtering. Time: 1-2 days
  2. Implement network segmentation — Set up VLANs for business, guest, and management networks. Time: 1 day
  3. Perform a full backup restore test — Restore your entire server or critical data set to a test environment. Verify everything works. Document the recovery time. Time: 4-8 hours
  4. Write your Incident Response Plan — One page. Who to call, what to do first, how to contain. Keep a printed copy offsite. Time: 2 hours
  5. Conduct monthly security training — 10-minute monthly sessions with your team. Cover one topic per month. Track attendance. Time: 10 minutes/month
  6. Audit software subscriptions — List every software subscription. Cancel unused ones. Typical savings: $2,000-$10,000/year. Time: 2 hours
  7. Assess cyber insurance needs — If you do not have cyber insurance, get quotes. If you do, verify your coverage matches the 7 requirements covered in this course. Time: 2 hours

Security Is a Process, Not a Project

Security is not something you do once and forget. Threats evolve, new vulnerabilities are discovered, and businesses change. Schedule quarterly reviews of your security posture:

  • Review access permissions — who has access, is it still needed?
  • Check for new devices on the network — are they authorized?
  • Review backup test results — any failures or gaps?
  • Check for expired certificates and passwords
  • Review phishing simulation results — is click rate trending down?
  • Update your incident response plan with lessons learned

When to Get Professional Help

Some security tasks require expertise that most small businesses do not have in-house. Consider professional help for:

  • Network setup and firewall configuration — If you are not comfortable configuring VLANs, firewall rules, and VPNs
  • Backup implementation — If you need help designing a 3-2-1 backup strategy that works for your specific environment
  • Security assessment — A professional audit identifies gaps you may not see
  • Incident response — If you experience a breach, professional help can minimize damage and speed recovery
  • Compliance requirements — If you need to meet HIPAA, CMMC, or PCI requirements

Need Help Implementing This?

Beawit Consulting specializes in helping small businesses implement practical IT security. We do not sell expensive software — we help you use the right tools effectively. From MFA setup to full network security assessments, we can help.

Visit beawit.net or call 360-399-6834 for a free consultation.

Thank you for completing this course. Take the final quiz to test your knowledge and earn your certificate.

— JC Beasley, Beawit Consulting LLC

Rating
0 0

There are no comments for now.

to be the first to leave a comment.