Cybersecurity Baseline: The 4 Essentials Every Business Needs

Honestly, this question always makes me shift in my seat — not because I don’t want to answer, but because it’s a tough one to address on the spot without deep diving into the business, team size, systems, and actual risks in play.

This blog explains what a “reasonable” cybersecurity baseline looks like and provides a checklist for your business. 

Why does comparing your cybersecurity to other businesses not work?

It’s easy to fall into the trap of looking sideways at what similar-sized companies are doing — but that doesn’t work with managed IT services. Every business is different. Different systems. Different cybersecurity risks.

Reasonable cybersecurity means having safeguards proportional to your business size, systems, and risk exposure — not what others are doing. Your infrastructure, software stack, and staff access are all unique. Copying what others do might lead you to overinvest in low-risk areas or completely miss what actually matters in your setup. Cybersecurity baselines, strategy, and spend should always be tailored to your business’s assets, risk appetite, and operational reality.

The Four Minimum, Non‑Negotiable Controls

When someone asks me, “What’s reasonable?” — I usually respond with:
“You should have as much cybersecurity as you can reasonably afford. But at a bare minimum, there are four key areas that I consider non-negotiable.”

Let’s walk through them.

1. Multi-Factor Authentication (MFA)

This is hands down one of the simplest and most effective tools in the kit. Not a silver bullet — but it makes your systems significantly harder for bad actors to access. And when I say turn it on everywhere, I mean everywhere:

• Accounting packages
• Email accounts
• Document storage
• Device logins (user and administrator)
• CRM systems

There are plenty of good MFA solutions out there. Personally, I recommend Duo, but there are plenty of solid options depending on your environment.

2. Endpoint Protection

Gone are the days when adding an antivirus on a machine was enough. Today, endpoint protection means more than just scanning for known threats. You need a combination of:

• Antivirus on all systems, whether you use Mac or Windows
• EDR (Endpoint Detection and Response) to watch behaviour, flag anomalies, and can lock things down automatically
• Ransomware protection to protect your data from being encrypted and held hostage
• A policy that restricts admin access. If users can’t install their own software, they’re much less likely to accidentally open the door to a threat.

Medical IT support and dental IT support should also include an added layer of security for practice management software and imaging software.

3. Email Security / Anti-Spam

Most cyber incidents still start with an email. If you’re not filtering threats before they hit your users, you’re playing with fire. Your email security should:

• Block spam
• Detect phishing attempts
• Quarantine suspicious attachments
• Filter links
• Implement email authentication protocols 

There are plenty of options out there — Checkpoint, Proofpoint, Darktrace — pick one that fits your business to get ahead of the threats.

4. Backup, Business Continuity & Disaster Recovery

Some people get confused when I talk about backups and disaster recovery as part of cybersecurity. But even Cyber.gov.au’s Essential Eight model lists backups as a key control.

Why? Because if something does go horribly wrong — a ransomware attack, a wipeout, or accidental deletion — your backup is what will get you back up and running.

Two critical questions to ask your IT team or provider:

• What’s our RPO (Recovery Point Objective)?
  How recent is our last usable backup? How much data would we lose in a worst-case?
• What’s our RTO (Recovery Time Objective)?
  How long would it take to get the business operational again?

This isn’t hypothetical.
A 20-person business offline for a week? You’re looking at $35,000+ in wages alone, and that’s without factoring in lost revenue or customer churn.

What Business Leaders Should Do (Without Getting Too Technical)

The four items above are the bare minimum. If you work in medicine, finance, law or any field dealing with regulated or sensitive data, your baseline is going to be higher. 

Let’s face it — not every exec wants to get knee-deep in firewalls and MFA policies. But to get started, you can get a cybersecurity audit. If you have a good outsourced IT partner, ask them to audit your systems. If not, or if you want a second opinion, go to a cybersecurity specialist like Teamwork Technology for an IT health check. Whether it’s a second set of eyes or full-time help, it’s better to know your blind spots before an attacker finds them.

To discuss your cybersecurity set-up, contact Teamwork Technology.