Security is a pyramid: it is very simple to stop the large number of bots and low skilled hackers at the bottom of the pyramid and increasingly complicated to stop the small number of skilled attackers at the top. The following 10 steps require more skill to implement as you go down the list but are increasingly resistant to skilled attackers. Ideally, you'd complete all 10 steps.
Secure your perimeter: Ensure your firewalls are up to date, block unnecessary external access, and defend against attackers.
Patch everything: Microsoft makes updating your Microsoft software easy, but all your applications on every PC also need to be regularly patched. There are many automatic patch management systems out there, such as PDQ Deploy https://www.pdq.com/pdq-deploy/ or https://chocolatey.org/
Restrict who has administrator privileges: Do you know exactly who is holding the keys to the network? Checking up on who is an administrator can be very revealing. If everyone ran as a standard user, intruders find it difficult to spread. This is known as the Principle of Least Privilege.
Password policy: Last blog we had multiple free policies including a password policy. You need to do this. Moreover, it’s beneficial to go further, 2 factor authentication prevents many security issues.
Harden everything: The default settings on many systems are not secure. Go through and eliminate those default passwords for applications. apc/apc for UPS batteries that operate your servers is a disaster waiting to happen.
Segment and VLAN your network zones: Guest Wireless should not be the same network as your file servers, email, and business systems.
Train your staff to recognize threats: resume.exe vs resume.pdf. Congratulations you have won $1,000,000! We need to increase awareness of what the threats look like, this is no different than airline crew showing you how to buckle a seat belt and how to put a mask over your face.
Host-based Intrusion Prevention Systems: This is more than just antivirus. https://www.ossec.net This system checks on everything looking for intruders.
Implement a DMZ: Nothing externally facing should be on your internal network. These external services are holes in your firewall and are a way in. It’s only a matter of time before you are breached through one of these holes.
Application Whitelisting: You decide what applications are allowed to run on your network. If you never decide to allow a virus, the virus can never run. This greatly reduces the possibility of bad things occurring.