Technology Security Basics: 10 Controls That Prevent Most Incidents

Security often sounds more complicated than it needs to be.

For many growing businesses, the biggest risk does not come from highly sophisticated threats. It comes from weak basics. Accounts are not protected consistently. Access is broader than it should be. Offboarding is patchy. Devices are managed differently depending on the user. Backups are assumed to be fine rather than clearly understood. External sharing is convenient but not well controlled. No one is fully sure who owns the baseline.

That is how common incidents happen.

In practice, that usually shows up in familiar ways:

• users do not all have the same level of sign-in protection

• former staff or role changes leave access behind

• too many people have admin rights or elevated access

• devices are patched and managed inconsistently

• external sharing is looser than it should be

• important data is not backed up in the way people assume

• mailbox security varies between key users

• security settings exist, but no one is reviewing them regularly

• support providers deal with problems as they arise, but the baseline is not improving

• the business talks about security after issues happen rather than before

This is why security basics matter so much.

A strong baseline will not eliminate every risk, but it will prevent a large share of the incidents that affect growing businesses most often.

Why the basics are where most risk sits

Security controls usually weaken over time, not all at once.

That happens because:

The environment grows faster than the standards
More users, more devices, more tools, and more vendors increase complexity.

Controls are applied inconsistently
Some teams or users are well protected, while others are not.

Ownership is unclear
Security is seen as important, but not clearly owned end to end.

Access expands over time
Permissions and privileges accumulate unless someone reviews them properly.

The business stays reactive
Fixes happen after incidents, near misses, or audit questions rather than through ongoing discipline.

Support and governance are separated
A provider may keep things running day to day without actively improving the baseline.

That is why good security is usually less about a single product and more about consistent control.

What a good security baseline actually achieves

A practical security baseline should create four outcomes.

Accounts are harder to compromise
Strong sign-in protection makes it more difficult for attackers to get in through common routes.

Access is tighter and easier to review
Users have the access they need, not more than they need.

The business is more resilient
If something goes wrong, backups, logging, and recovery are clearer.

Risk is actively managed
Security stops being something the business hopes is fine and becomes something it can actually govern.

The goal is not to create fear. The goal is to reduce avoidable exposure.

The signs your baseline needs attention

If any of these sound familiar, the basics probably need tightening.

Multi-factor authentication is inconsistent
Some accounts have it, others do not, or it is not enforced properly.

Admin access is broader than it should be
Too many people have elevated privileges or old roles still assigned.

Offboarding is informal
Accounts, shared access, devices, or admin rights are not always removed on time.

Backups are assumed, not understood
People believe data is protected, but cannot clearly explain what is backed up, how often, or how recovery works.

Device standards vary too much
Some devices are managed well, others are largely left to user behaviour.

External sharing is loose
Guest users, links, and shared files are harder to review than they should be.

Mailbox protection is uneven
Key users handling approvals, vendor communication, or finance are not all protected to the same standard.

No one clearly owns the baseline
Settings exist, but no one is driving review, prioritisation, and follow-through.

These are exactly the kinds of issues that make ordinary threats more successful than they should be.

The 10 controls that prevent most incidents

A lot of security improvement comes from locking down the basics properly and keeping them consistent.

1. Multi-factor authentication

This is still one of the most important controls.

Important accounts should be protected with multi-factor authentication, especially:

• Microsoft 365

• email

• finance systems

• administrator accounts

• remote access tools

• key vendor or support portals

If sign-in protection is weak, the rest of the environment becomes easier to compromise.

2. Role-based access

People should have the access they need for their role, not broad access by default.

That means reviewing:

• user permissions

• group membership

• access to sensitive systems

• access to shared mailboxes

• access to finance or operational platforms

The wider the access, the larger the blast radius when something goes wrong.

3. Fast and complete offboarding

When someone leaves or changes roles, access needs to be removed quickly and properly.

That includes:

• account sign-in

• email and shared access

• business platforms

• privileged roles

• devices and mobile access

Weak offboarding leaves old access sitting in the environment longer than it should.

4. Backup clarity

Backups are only useful if the business actually understands them.

That means being clear on:

• what is backed up

• how often it is backed up

• where it is stored

• what recovery expectations look like

• who owns the process

• what is not covered

A lot of businesses assume they are more protected than they really are.

5. Strong administrator controls

Administrator access should be limited, visible, and reviewed.

That includes:

• reducing the number of admin accounts

• reviewing privileged roles regularly

• separating normal user and admin activity where sensible

• tightening access to core platforms

• removing old or unnecessary elevation

Admin access is one of the highest value targets in any environment.

6. Device management standards

Devices should not rely on individual user discipline alone.

A stronger baseline usually means:

• consistent patching

• device management policies

• encryption where appropriate

• standard security settings

• controlled local admin rights

• remote lock or wipe capability where needed

If device standards vary too much, the environment becomes harder to protect and harder to support.

7. Secure file sharing and guest access

External sharing is often necessary, but it needs control.

That means:

• approved sharing locations

• clear guest access rules

• review of who still has access

• sensible link settings

• ownership of externally shared workspaces

Loose sharing does not just create security risk. It also creates governance problems.

8. Mailbox protection

Email remains one of the most common routes for compromise, fraud, and impersonation.

Key mailboxes and users should have:

• strong MFA

• tighter access

• clear ownership of shared inboxes

• review of forwarding or delegated access where relevant

• stronger protection for finance, approvals, and executive communications

Mailbox security is not optional. It is part of the baseline.

9. Logging and visibility

The business should be able to review important activity when something looks wrong.

That does not mean building a giant security operations function. It means having enough visibility to answer questions like:

• who signed in

• what changed

• who accessed what

• whether admin actions occurred

• whether unusual activity can be identified

Without visibility, the business is often reacting in the dark.

10. Clear ownership of the baseline

This is the control that ties the rest together.

Someone needs to be accountable for:

• what the baseline is

• where the gaps are

• what needs attention first

• which actions are overdue

• how vendors and providers are being held to account

• whether the controls are actually staying in place

Without ownership, even good settings drift over time.

What these controls look like in day-to-day operations

Security basics are not abstract. They show up in practical questions like:

• does every key account have MFA enabled properly

• who still has admin access

• what happens when a staff member leaves

• which files are being shared externally

• what is actually backed up

• who reviews guest users

• can we see unusual activity if something feels wrong

• who owns the next security improvement

If those questions are hard to answer, the baseline is probably weaker than it should be.

If they are clear, risk becomes easier to manage.

Common mistakes businesses make

There are a few patterns that come up repeatedly.

Thinking security means buying more tools
Most businesses benefit more from tightening the basics than adding another product.

Treating the baseline as a one-off setup
Good controls need review and follow-through, not just initial configuration.

Leaving ownership vague
If nobody owns the baseline, weak areas stay weak for too long.

Assuming support equals governance
A provider may handle tickets well without actively improving security posture.

Ignoring everyday operational controls
Offboarding, access review, and shared mailbox discipline are security controls too.

Focusing only on technical settings
Real security also depends on process, accountability, and operating rhythm.

A practical place to start

If the business wants to strengthen security without overcomplicating it, start with a simple review of the 10 controls above.

Ask:

• which of these are already in place

• which are inconsistent

• which are weak or unclear

• who owns each one

• what should be fixed first

That quickly separates assumed security from actual security.

A simple maturity view is often enough to identify immediate priorities such as:

• MFA gaps

• excessive admin rights

• poor offboarding

• weak backup clarity

• loose external sharing

• unclear mailbox ownership

That is where the biggest gains usually sit.

Quick wins you can implement immediately

If your baseline needs tightening, start here.

1. Review MFA coverage

Check which important accounts still do not have strong sign-in protection.

2. Review privileged access

Identify who has admin rights and remove anything unnecessary.

3. Tighten offboarding

Make sure access, devices, shared workspaces, and admin roles are included in the process.

4. Confirm backup coverage and ownership

Be clear on what is protected, what is not, and who owns review and recovery.

5. Review shared and external access

Look at guest users, shared mailboxes, links, and externally shared workspaces.

These five actions alone can materially improve the baseline.

Common mistakes to avoid

Trying to fix everything at once
Prioritisation matters. Start with the controls that reduce the most risk.

Leaving the review informal
If the business cannot track gaps clearly, they stay open longer.

Treating key users the same as low-risk users
Finance, executive, and admin accounts usually need tighter protection first.

Separating security from wider governance
Security works better when it is tied to ownership, vendor oversight, access control, and operating rhythm.

Assuming today’s settings will stay right by themselves
Without review, drift always returns.

How ProLevel Tech helps

If you want a practical view of where your security baseline is weak, the Technology Health Check is the best place to start.

It helps identify:

Which of the core controls need attention first
So the business can focus on the highest-value improvements.

Where access and ownership are weaker than they should be
Across users, devices, platforms, and admin roles.

Where governance is missing
Including review rhythm, vendor accountability, and follow-through.

What the practical quick wins are
So you can reduce risk without turning security into a giant program.

How the baseline should work going forward
With clearer ownership, stronger standards, and better control across the environment.

From there, Technology Leadership helps keep that baseline in place through regular review, vendor oversight, prioritisation, and practical follow-through.