Cyber security rarely fails because of some exotic new threat. Far more often, it fails because the basics weren’t done – or weren’t kept up. 

Dr Ismini Vasileiou – founder of East Midlands Cyber Security Cluster – calls these “the boring, brilliant fundamentals”. The points aren’t glamorous, but they’re exactly what stops a blip turning into a crisis. 

Here’s how to turn the fundamentals into simple Monday morning actions.

1. Know the assets you’ve got

You can’t protect what you don’t know about. Therefore, make a one‑page list of your core systems and data: laptops, phones, servers, key cloud tools (email, finance, CRM), and any special data (payroll, customer lists, IP). Ask “what are we using that isn’t on this list?” – shadow IT often appears in that conversation.

2. Who can see and do what?

Too many people with too much access is a gift to attackers and insider mistakes. Address it by picking one critical system each week (e.g. finance, HR or CRM) and reviewing who has access and what level. Remove anyone who no longer needs it. Also, turn on multi‑factor authentication (MFA) for email and any system that holds sensitive data.

3. Fix the holes in patching

Out‑of‑date software is one of the easiest ways in for attackers. Each week, check that automatic updates are turned on for laptops, phones, and browsers. Choose a regular slot (say, Friday afternoon) when someone quickly checks that key servers or line‑of‑business apps are up to date. Put it in a diary – don’t just leave it in someone’s head.

4. Backups: assume something will go wrong

When (not if) something fails or gets encrypted, backups are what turn disaster into an inconvenience. Therefore, you should ask yourself “Where’s our backup? When was it last tested?”. Take action by running a quick restore test of a single file or small dataset from backup. Confirm how long it took and who knows how to do it.

5. Your risk is your supplier’s risk

Customers now routinely check your security; you should be doing the same with key suppliers. Start by listing your top 5-10 critical suppliers (IT support, cloud services, payment providers, key logistics/production partners). For each, note what would happen if they were down for a week. If the answer is “we’d be stuck”, start a conversation about their security and continuity arrangements.

6. Incident readiness: practice before it’s real

The worst time to decide who does what in a crisis is during the crisis. Prepare in advance by writing a one‑page incident crib sheet: who to call, who can take decisions, where you’ll record what’s happening, and who talks to customers. Next, book a 30‑minute tabletop exercise: walk through a simple scenario (eg. “we’ve lost access to email” or “a supplier tells us they’ve been breached”) and see where people get stuck.

Doing the boring basics brilliantly isn’t about perfection or big budgets. It’s about picking a few fundamentals, acting on them this week, and repeating them until they become part of “how we do things around here”.

• This post is part of a series based on content from speakers at the East Midlands Cyber Summit. The Summit was delivered by East Midlands Cyber Security Cluster as part of its CyberGrowth programme.