<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Security on IT Made Simple</title><link>https://itmadesimple.co.nz/tags/security/</link><description>Recent content in Security on IT Made Simple</description><generator>Hugo -- gohugo.io</generator><language>en</language><managingEditor>Thaddeus</managingEditor><webMaster>Thaddeus</webMaster><lastBuildDate>Thu, 18 Jun 2026 08:00:00 +1200</lastBuildDate><atom:link href="https://itmadesimple.co.nz/tags/security/index.xml" rel="self" type="application/rss+xml"/><item><title>Windows Updates: Why You Can't Just Ignore Them</title><link>https://itmadesimple.co.nz/posts/windows-updates-why-ignore/</link><pubDate>Thu, 18 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/windows-updates-why-ignore/</guid><description>That &amp;#34;Update and restart&amp;#34; prompt is annoying. But ignoring it is how businesses get ransomware. Here&amp;#39;s what updates actually do and how to manage them without losing your mind.</description><content:encoded><![CDATA[<p>You&rsquo;re in the middle of something. A deadline, a customer on the phone, a report that was due yesterday. And there it is:</p>
<p><strong>&ldquo;Update and restart now.&rdquo;</strong></p>
<p>So you click &ldquo;Remind me tonight.&rdquo; Tonight comes. You click &ldquo;Remind me in 4 hours.&rdquo; You keep clicking it until it forces the restart at the worst possible time, and now you&rsquo;re annoyed at Microsoft.</p>
<p>I get it. I really do. But here&rsquo;s the thing — that prompt is trying to save your business.</p>
<h3 id="what-updates-actually-do">What Updates Actually Do</h3>
<p>There&rsquo;s a misconception that Windows Updates are just Microsoft adding features you don&rsquo;t want and changing things that work fine. Sometimes that&rsquo;s true — the occasional feature update does change the look and feel, and it&rsquo;s annoying.</p>
<p>But the critical updates? The ones that interrupt your work? Those are usually security patches (delivered as part of monthly cumulative updates).</p>
<p>Here&rsquo;s what that means in practice:</p>
<p>Microsoft&rsquo;s security team (and independent researchers) find vulnerabilities in Windows. These are flaws that a criminal could use to get into your computer. Some vulnerabilities require no interaction at all — in some cases, just being on the same network with an unpatched machine is enough. Others rely on phishing or user action.</p>
<p>Microsoft releases a patch to fix the vulnerability. That patch gets delivered via Windows Update.</p>
<p>If you install the patch, you&rsquo;re protected. If you don&rsquo;t, the door stays open. And criminals know exactly which doors are still open — the patches are public. When Microsoft releases a fix, attackers can reverse-engineer the patch to figure out exactly what to exploit on machines that haven&rsquo;t updated yet.</p>
<p><strong>Not updating is like locking your front door but leaving the key in it.</strong></p>
<h3 id="the-wannacry-problem">The WannaCry Problem</h3>
<p>In 2017, a vulnerability called EternalBlue was used to spread the WannaCry ransomware. It infected over 230,000 computers across 150 countries in a few days. Hospitals, businesses, government agencies — all hit.</p>
<p>Microsoft had released a patch for the vulnerability <strong>nearly two months before</strong> the attack.</p>
<p>Most of the businesses that got hit weren&rsquo;t running ancient unsupported Windows. Mostly Windows 7 and Server 2008 R2 systems — the same versions many businesses were still running. They just hadn&rsquo;t installed the update.</p>
<p>WannaCry didn&rsquo;t care that you were busy. It didn&rsquo;t care that the update prompt was annoying. It just encrypted everything and demanded $300 in Bitcoin.</p>
<p>The majority of successful ransomware attacks exploit known vulnerabilities with available patches. The gangs aren&rsquo;t using fancy zero-days — they&rsquo;re exploiting the updates people didn&rsquo;t install.</p>
<h3 id="but-updates-break-things">&ldquo;But Updates Break Things!&rdquo;</h3>
<p>This is the counter-argument, and it&rsquo;s not wrong. Sometimes updates do break things. A driver stops working. An app compatibility issue pops up. Something that worked yesterday doesn&rsquo;t work today.</p>
<p>This was more of a problem in the Windows 7/8 era. It still happens occasionally, but Microsoft has gotten significantly better at testing updates before broad release. The &ldquo;update broke my computer&rdquo; scenario is far less common than it used to be.</p>
<p>Here&rsquo;s how to manage the risk without leaving yourself exposed:</p>
<p><strong>Don&rsquo;t install updates on day one. But don&rsquo;t wait three months either.</strong></p>
<p>Let the early adopters find the problems. Wait a week or so after &ldquo;Patch Tuesday&rdquo; (the second Tuesday of each month — that&rsquo;s when Microsoft drops their big security updates). Then install.</p>
<p>You can configure this in Windows through <strong>Windows Update for Business</strong> or <strong>Intune</strong> (if you&rsquo;re on M365 Business Premium). Set a deferral period — give feature updates a longer deferral (30-60 days), but keep security updates shorter (7-14 days).</p>
<h3 id="how-to-set-up-a-basic-update-policy">How to Set Up a Basic Update Policy</h3>
<p>If you&rsquo;re running Windows 10/11 Pro (most business machines do), you can configure this without any extra tools:</p>
<ol>
<li>Open <strong>Settings &gt; Windows Update &gt; Advanced options</strong></li>
<li>Enable <strong>Receive updates for other Microsoft products</strong> (keeps Office updated too)</li>
<li>If available on your version of Windows, under <strong>Choose when updates are installed</strong>, set:
<ul>
<li><strong>Feature updates:</strong> defer by 30 days</li>
<li><strong>Quality updates:</strong> defer by 7 days</li>
</ul>
</li>
</ol>
<p>That&rsquo;s the &ldquo;set and forget&rdquo; level. You&rsquo;ll get security updates within a week of release (early adopters have found any problems by then) and feature updates within a month (plenty of time for news about any issues).</p>
<p>If you&rsquo;ve got M365 Business Premium and Intune, you can do this centrally for all machines — more on that below.</p>
<h3 id="if-youve-got-intune-m365-business-premium">If You&rsquo;ve Got Intune (M365 Business Premium)</h3>
<p>This is where it gets easier. When we covered <a href="https://itmadesimple.co.nz/posts/m365-licensing-which-plan/">M365 licensing</a>, I mentioned that Business Premium includes Intune. One of the best things about Intune is centrally managing Windows updates across all your devices.</p>
<p>You create <strong>update rings</strong> — groups of settings that control when and how updates install. You can set up:</p>
<ul>
<li><strong>A pilot ring:</strong> 5-10 machines get updates first. If something breaks, you catch it before it hits everyone.</li>
<li><strong>Everyone else:</strong> Gets updates 7-14 days after the pilot group.</li>
</ul>
<p>The pilot ring should include non-critical machines and tech-comfortable staff who&rsquo;ll actually report problems. Don&rsquo;t put your most important server in the pilot group.</p>
<p>I&rsquo;ve put together a complete walkthrough on Patreon for setting up Intune update rings — including recommended settings for small business, screenshots, and what to do if an update causes problems.</p>
<h3 id="other-things-updates-cover">Other Things Updates Cover</h3>
<p>It&rsquo;s not just security. Updates also include:</p>
<ul>
<li><strong>Bug fixes:</strong> That weird crash in Excel that happens every Tuesday? Might get fixed in a cumulative update.</li>
<li><strong>Driver updates:</strong> New hardware support and better performance on existing hardware (though these can occasionally cause issues, so some businesses manage them separately).</li>
<li><strong>.NET Framework updates:</strong> A lot of business software depends on this. Missing or mismatched .NET versions are a common cause of app issues.</li>
</ul>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>I know updates are annoying. I know they always seem to fire at the worst time. But the alternative — running unpatched Windows in a business environment — is genuinely dangerous.</p>
<p>Configure a deferral so you&rsquo;re not on day one. Test on a couple of machines first if you&rsquo;re in a managed environment. But actually install them. Every month. Without fail.</p>
<p>The ransomware gangs are counting on you putting it off. Don&rsquo;t make it easy for them.</p>
<hr>
<p><em>For M365 Business Premium users, I&rsquo;ve put together a step-by-step Intune update ring guide on Patreon — with recommended settings, pilot group setup, and rollback procedures if an update causes issues. <a href="https://www.patreon.com/c/ITMadeSimple">Check it out here</a>.</em></p>
]]></content:encoded></item><item><title>Why Your Business Email Gets Hacked (And How to Stop It)</title><link>https://itmadesimple.co.nz/posts/business-email-gets-hacked/</link><pubDate>Tue, 16 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/business-email-gets-hacked/</guid><description>Business email compromise is the number one way small businesses get robbed. Here&amp;#39;s how it actually happens and what to do about it.</description><content:encoded><![CDATA[<p>Last year, a business I know got hit. Not a big company — a small operation, maybe 12 staff. Someone got into their email, monitored the inbox for a few days, and then sent an email to their accounts payable person requesting an &ldquo;urgent payment&rdquo; to a new bank account.</p>
<p>The email came from the boss&rsquo;s actual email address. It looked real. The language was right. The urgency was convincing.</p>
<p>They paid $18,000 before anyone noticed.</p>
<p>This isn&rsquo;t unusual. It&rsquo;s happening every day, all over the world, to businesses just like yours. And it&rsquo;s not because the criminals are genius hackers. It’s usually because the basics weren’t in place.</p>
<h3 id="how-business-email-actually-gets-compromised">How Business Email Actually Gets Compromised</h3>
<p>Forget the Hollywood image of a hooded figure typing furiously. Here&rsquo;s what actually happens, in order of how common it is:</p>
<h4 id="1-stolen-passwords-the-big-one">1. Stolen Passwords (The Big One)</h4>
<p>Your password leaks in a data breach. It ends up on a list that gets sold on the dark web. Criminals use automated tools to try that same password on email, banking, accounting software — everything.</p>
<p>This is called <strong>credential stuffing</strong>, and it works because people reuse passwords. If your email password is the same one you used on that random forum in 2019 that got breached, your business email is one automated script away from being owned.</p>
<h4 id="2-phishing">2. Phishing</h4>
<p>Someone sends you an email that looks like it&rsquo;s from Microsoft, your bank, or a supplier. There&rsquo;s a link. You click it. You land on a fake login page that looks identical to the real one. You type in your username and password. You&rsquo;ve just handed your credentials to a criminal.</p>
<p>Modern phishing is good. Really good. The fake pages are pixel-perfect. The sender addresses are close enough to fool you when you&rsquo;re busy. The urgency (&ldquo;Your account will be locked in 24 hours!&rdquo;) pushes you to act before thinking.</p>
<h4 id="3-no-multi-factor-authentication">3. No Multi-Factor Authentication</h4>
<p>Even if they get your password, MFA stops them cold. But if you don&rsquo;t have it enabled, a password is all they need. Full stop.</p>
<h4 id="4-session-hijacking">4. Session Hijacking</h4>
<p>You log into email on a public Wi-Fi at a café. Someone on the same network could intercept your session token. They don&rsquo;t need your password — they&rsquo;re already &ldquo;you&rdquo; as far as the server is concerned.</p>
<p>Less common for small businesses, but it happens. Especially if you&rsquo;re checking email at the airport, a hotel, or a coworking space.</p>
<h3 id="what-it-looks-like-when-youre-compromised">What It Looks Like When You&rsquo;re Compromised</h3>
<p>You might not know right away. Sophisticated attackers don&rsquo;t change your password (that would tip you off). They just quietly:</p>
<ul>
<li><strong>Read your emails</strong> to learn how your business works, who your suppliers are, how you talk to your bookkeeper</li>
<li><strong>Set up email forwarding rules</strong> to send copies of certain emails to their own address (you won&rsquo;t see this unless you check your settings)</li>
<li><strong>Send emails from your account</strong> to your contacts, your bank, your staff — whatever serves their purpose</li>
<li><strong>Access connected services</strong> — if your email is the recovery address for your bank, your accounting software, your domain registrar, they can reset passwords on all of them</li>
</ul>
<p>The business I mentioned earlier? The attacker watched their inbox for almost a week before making a move. They learned the business&rsquo;s patterns, who handled payments, what the boss&rsquo;s writing style looked like. Then they struck.</p>
<h3 id="how-to-lock-it-down">How to Lock It Down</h3>
<p>Here&rsquo;s your action list. Do these in order.</p>
<h4 id="step-1-unique-passwords-everywhere">Step 1: Unique Passwords Everywhere</h4>
<p>Every account gets its own password. No exceptions. Use a password manager — Bitwarden (free) or 1Password (paid, excellent). Let it generate random passwords. You don&rsquo;t need to remember them.</p>
<p>This single step eliminates credential stuffing entirely.</p>
<h4 id="step-2-multi-factor-authentication--everywhere">Step 2: Multi-Factor Authentication — Everywhere</h4>
<p>I covered this in the <a href="https://itmadesimple.co.nz/posts/security-audit-small-business/">security audit post</a>, but it bears repeating: <strong>MFA is the single most effective security measure you can take.</strong></p>
<p>Enable it on:</p>
<ul>
<li>Email (M365, Gmail, whatever you use)</li>
<li>Online banking</li>
<li>Accounting software</li>
<li>Domain registrar (this one gets overlooked — if someone takes over your domain, they can intercept all your email)</li>
<li>Cloud storage</li>
<li>Social media</li>
</ul>
<p>Use an authenticator app (Microsoft Authenticator, Google Authenticator, Authy) rather than SMS if possible. SMS is better than nothing, but it can be intercepted through SIM swapping.</p>
<h4 id="step-3-check-for-compromise-right-now">Step 3: Check for Compromise Right Now</h4>
<p>A few things to check today:</p>
<ul>
<li><strong>Recent login activity.</strong> In M365, go to your account security page and check recent sign-ins. Look for locations or devices you don&rsquo;t recognise. In Gmail, scroll to the bottom of your inbox and click &ldquo;Details&rdquo; under &ldquo;Last account activity.&rdquo;</li>
<li><strong>Email forwarding rules.</strong> Check if any rules are forwarding emails to an address you don&rsquo;t recognise. In Outlook: Settings &gt; Mail &gt; Forwarding. In Gmail: Settings &gt; Forwarding and POP/IMAP.</li>
<li><strong>Recovery email and phone number.</strong> Make sure your account recovery options actually point to your current email and phone number. Attackers often change these so they can regain access even after you change the password.</li>
</ul>
<h4 id="step-4-train-your-staff">Step 4: Train Your Staff</h4>
<p>This is the hard one. You can have the best technical controls in the world, but if your office manager clicks a phishing link and enters their credentials, the controls don&rsquo;t matter.</p>
<p>You don&rsquo;t need a corporate training program. You need a 10-minute conversation:</p>
<ul>
<li><strong>Don&rsquo;t click links in emails</strong> that ask you to log in. If Microsoft says your account is expiring, open a browser and go to microsoft.com directly. Don&rsquo;t click the link.</li>
<li><strong>Verify payment requests.</strong> Any email asking for a bank transfer, especially if it&rsquo;s &ldquo;urgent&rdquo; or &ldquo;confidential&rdquo; — verify by phone. Use a number you already have, not one in the email.</li>
<li><strong>Report weird stuff.</strong> If something feels off, tell someone. Don&rsquo;t feel embarrassed. The businesses that recover fastest are the ones where staff speak up quickly.</li>
</ul>
<h4 id="step-5-have-a-response-plan">Step 5: Have a Response Plan</h4>
<p>If the worst happens, what do you do?</p>
<ul>
<li><strong>Change passwords immediately</strong> — email first, then everything else</li>
<li><strong>Check forwarding rules and recovery options</strong></li>
<li><strong>Notify your bank</strong> if there&rsquo;s any chance financial accounts were accessed</li>
<li><strong>Notify your contacts</strong> — if the attacker sent emails from your address, let people know</li>
<li><strong>Check other accounts</strong> — if your email was compromised, assume any account that uses it as a recovery address is also at risk</li>
</ul>
<p>Write this down. Don&rsquo;t figure it out in the moment.</p>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>Email security isn&rsquo;t complicated. It&rsquo;s just unglamorous. Unique passwords, MFA, basic staff awareness, and knowing what to do if something goes wrong. That&rsquo;s it.</p>
<p>The businesses that get hit aren&rsquo;t the ones with bad luck. They&rsquo;re the ones that never turned on MFA, never checked who had access, and never talked to their staff about phishing.</p>
<p>Don&rsquo;t be that business.</p>
<hr>
<p><em>I&rsquo;ve put together a complete MFA rollout guide and staff awareness kit on Patreon — including step-by-step MFA setup for M365, a one-page staff handout on phishing, and an incident response checklist you can fill in with your own details. <a href="https://www.patreon.com/c/ITMadeSimple">Get it here</a>.</em></p>
]]></content:encoded></item><item><title>The Security Audit Every Small Business Should Do</title><link>https://itmadesimple.co.nz/posts/security-audit-small-business/</link><pubDate>Thu, 11 Jun 2026 08:00:00 +1200</pubDate><author>Thaddeus</author><guid>https://itmadesimple.co.nz/posts/security-audit-small-business/</guid><description>Most small businesses have no idea how vulnerable they are. Here&amp;#39;s a practical security audit you can do yourself — no tools, no budget, just a checklist.</description><content:encoded><![CDATA[<p>I&rsquo;m going to ask you some questions. They&rsquo;re not comfortable. But answer them honestly, because criminals already know the answers — they&rsquo;re just waiting for you to keep ignoring them.</p>
<p>When was the last time you checked who still has access to your business email?</p>
<p>Do you know if your ex-employee&rsquo;s laptop still has your files on it?</p>
<p>Could someone walk into your office right now and plug a laptop into your network?</p>
<p>If you hesitated on any of those, this post is for you.</p>
<h3 id="why-security-audits-get-ignored">Why Security Audits Get Ignored</h3>
<p>Let&rsquo;s be honest — nobody wakes up excited to do a security audit. It&rsquo;s not fun. It doesn&rsquo;t directly make money. And for a small business owner already wearing every hat, it&rsquo;s the thing that gets pushed to next month every single month.</p>
<p>The problem is that &ldquo;never&rdquo; is how breaches happen. Not dramatic Hollywood hacking. Just someone reusing a password they leaked in a data breach three years ago, clicking a link in a voicemail redirecting as an email, or walking away from a computer that doesn&rsquo;t lock.</p>
<p>Small businesses are the perfect target. You&rsquo;ve got valuable data — customer details, bank access, supplier accounts — but you probably don&rsquo;t have the security guardrails that a larger company has. Hackers know this.</p>
<h3 id="the-audit--what-to-check-right-now">The Audit — What to Check Right Now</h3>
<p>Do all of these. Today, not tomorrow.</p>
<h4 id="1-who-has-access-to-what">1. Who Has Access to What?</h4>
<p>This is the big one.</p>
<ul>
<li><strong>List every system your business uses.</strong> Email, accounting software, bank accounts, social media, file storage, your website, Point of Sale system — everything.</li>
<li><strong>For each system, list who has a login.</strong> Not just current employees. Former employees too.</li>
<li><strong>Remove anyone who shouldn&rsquo;t have access.</strong> If &ldquo;Jake from three years ago&rdquo; still has admin access to your accounting software, that&rsquo;s a problem.</li>
</ul>
<p>Don&rsquo;t forget:</p>
<ul>
<li>Shared Wi-Fi passwords (especially in hospitality/retail)</li>
<li>Master accounts (the generic &ldquo;admin&rdquo; or &ldquo;office&rdquo; login everyone uses)</li>
<li>Third-party access (your accountant, your web developer, your MSP)</li>
</ul>
<p>If you don&rsquo;t have a list, that&rsquo;s problem one. Make the list. Fix it as you go.</p>
<h4 id="2-passwords--get-serious">2. Passwords — Get Serious</h4>
<p>I know. Everyone hates this topic. But it&rsquo;s still the number one way businesses get compromised.</p>
<ul>
<li><strong>Are you reusing passwords?</strong> If your QuickBooks password is the same as your email password, and your email gets breached, the attacker now owns your finances.</li>
<li><strong>Are you sharing passwords?</strong> Shared Gmail inboxes, shared logins to the bank — these are common in small business. They&rsquo;re also a nightmare when something goes wrong and you can&rsquo;t tell who did what.</li>
<li><strong>Get a password manager.</strong> Bitwarden is free for a single user and has a cheap team plan. 1Password is another option. Either is better than the spreadsheet on Karen&rsquo;s desktop called &ldquo;logins.xlsx&rdquo;.</li>
<li><strong>Prefer authenticator apps over SMS codes for MFA</strong> &ndash; SMS can be intercepted via SIM swapping. An authenticator app (like Microsoft Authenticator or Google Authenticator) is stronger protection.</li>
</ul>
<p>The goal: every person has their own login. Every system has a unique password. Nobody&rsquo;s writing passwords on a Post-it note stuck to their monitor. (You know who you are.)</p>
<h4 id="3-multi-factor-authentication--turn-it-on">3. Multi-Factor Authentication — Turn It On</h4>
<p>If you only do one thing from this entire post, make it this.</p>
<p>Turn on multi-factor authentication (MFA) on:</p>
<ul>
<li>Email (M365, Gmail — whichever you use)</li>
<li>Online banking</li>
<li>Accounting software</li>
<li>Cloud storage (OneDrive, Google Drive, Dropbox)</li>
<li>Social media accounts</li>
<li>Anything with customer data</li>
</ul>
<p>MFA means even if someone gets your password, they still can&rsquo;t log in without approving it on your phone. It blocks the vast majority of automated attacks.</p>
<p>Microsoft 365 makes this relatively straightforward — we covered MFA setup in a <a href="https://itmadesimple.co.nz/posts/what-is-microsoft-entra/">previous post</a>. email me if you need help.</p>
<h4 id="4-backups--test-them">4. Backups — Test Them</h4>
<p>We covered backups in <a href="https://itmadesimple.co.nz/posts/321-backup-rule-explained/">a previous post</a>, so I won&rsquo;t rehash the whole thing. But the audit question is simple: <strong>When did you last test a restore?</strong></p>
<p>If the answer is &ldquo;never&rdquo; or &ldquo;I don&rsquo;t remember,&rdquo; your backups might not actually work. Backups that you haven&rsquo;t tested are just hope with extra steps.</p>
<p>Pick a file from three months ago. Restore it. Confirm it works. Do the same thing next month. Build it into your routine.</p>
<p>Make sure at least one backup is offline or protected from deletion &ndash; ransomware that gets into your network can also wipe cloud backups.</p>
<h4 id="5-devices--whats-connected">5. Devices — What&rsquo;s Connected?</h4>
<p>Walk around your office. Count every device that connects to your network — computers, printers, phones, tablets, that random Raspberry Pi someone installed for a project two years ago.</p>
<p>Ask yourself:</p>
<ul>
<li>Are they all running current software? (Windows Updates, macOS updates, firmware on the router)</li>
<li>Do they all have passwords/PINs?</li>
<li>Do they lock automatically after a few minutes of inactivity?</li>
<li>Are they encrypted? (BitLocker on Windows, FileVault on Mac)</li>
<li>Is security software active on all devices? (Microsoft Defender is free and built into Windows)</li>
</ul>
<p>That old Windows 10 machine in the back office that &ldquo;still works fine&rdquo;? It&rsquo;s a liability. If it&rsquo;s running an unsupported operating system, it has known vulnerabilities that will never be patched. Replace it or isolate it from the network.</p>
<h4 id="6-physical-security--the-forgotten-layer">6. Physical Security — The Forgotten Layer</h4>
<p>You can have the best passwords in the world, but if someone can walk into your server room, none of it matters.</p>
<ul>
<li>Is your server cupboard locked?</li>
<li>Do you have a guest Wi-Fi network separate from your business machines?</li>
<li>What happens when a stranger walks in and says &ldquo;I&rsquo;m here to fix the printer&rdquo;? (Social engineering is real — verify, don&rsquo;t just trust)</li>
</ul>
<p>This sounds paranoid until the day it isn&rsquo;t.</p>
<h3 id="how-to-make-it-a-habit">How to Make It a Habit</h3>
<p>Don&rsquo;t try to fix everything in one day. Prioritise:</p>
<ol>
<li><strong>This week:</strong> Access audit and MFA everywhere. These are the highest-impact fixes.</li>
<li><strong>This month:</strong> Passwords sorted, backups tested, device inventory done.</li>
<li><strong>Ongoing:</strong> Quarterly review. Every three months, run through the checklist again. New employees, new devices, new software — things change.</li>
</ol>
<p>The goal isn&rsquo;t perfection. It&rsquo;s raising the bar high enough that automated attacks move on to an easier target.</p>
<h3 id="the-bottom-line">The Bottom Line</h3>
<p>You don&rsquo;t need a $50,000 security consultant or enterprise-grade tools. You need to spend a few hours going through a checklist and fixing the obvious stuff. Most small business breaches come from the same handful of basic failures — old passwords, no MFA, ex-employees who still have access, unpatched machines.</p>
<p>Fix the basics. You&rsquo;ll be ahead of 80% of small businesses overnight.</p>
<hr>
<p><em>Want a printable security audit checklist you can work through with timestamps and sign-off fields? I&rsquo;ve put together a full template on Patreon — covering every point above with checkboxes, priority ratings, and quarterly review trackers. <a href="https://www.patreon.com/c/ITMadeSimple">Grab it here</a>.</em></p>
]]></content:encoded></item></channel></rss>