The cybersecurity vendor landscape wants you to believe that security is infinitely complex — that every new tool, every new framework, every new threat category demands its own solution. This framing is commercially convenient. It is not operationally accurate.
The data, drawn from incident analysis across thousands of breaches, points to something more useful: a small set of controls, implemented well, prevents or disrupts the overwhelming majority of attacks. The Australian Signals Directorate's "Essential Eight" framework estimated that four controls alone would prevent around 85% of targeted attacks on government networks. CISA's "Cyber Essentials" makes a similar argument for small organizations.
This piece focuses on five foundational controls that represent the highest-leverage security investments available to resource-constrained organizations. None of them require enterprise tooling. All of them are within reach.
why prioritization matters more than comprehensiveness
Most security frameworks are comprehensive by design — they're intended to describe a complete security program. The CIS Controls catalog 18 control groups. NIST CSF covers hundreds of subcategory outcomes.
For a large organization with a dedicated security team, comprehensive frameworks are valuable. For a small business with one part-time IT person, they're paralyzing. The mental model that produces results in resource-constrained environments is different: not "what does a complete security program look like?" but "which investments provide the most protection per dollar and hour spent?"
These five controls are that answer.
control 1: multi-factor authentication
MFA is the single highest-impact preventive control available, and its implementation cost for most organizations is effectively zero — Google Authenticator, Microsoft Authenticator, and similar TOTP apps are free.
Microsoft's security team has consistently reported that MFA blocks more than 99% of automated credential attacks. When credentials are stolen via phishing or purchased from dark web marketplaces, MFA converts a guaranteed account compromise into a failed one.
Where to apply MFA first: Prioritize email accounts, VPN and remote access, cloud admin consoles, and financial systems. Apply hardware keys (FIDO2/WebAuthn) to privileged admin accounts if possible — phishing-resistant MFA is meaningfully stronger than TOTP for high-value targets.
One important note: SMS-based MFA (text message codes) is significantly weaker than app-based TOTP or hardware keys. It's still far better than no MFA, but if you're starting from scratch, go directly to an authenticator app.
control 2: tested, offline backups
A ransomware attack against an organization with a solid, tested backup capability is a disruption. Against an organization without one, it's potentially an existential event.
A backup is not useful if:
- It's connected to the same network as the systems it backs up (ransomware will encrypt it)
- It has never been tested for restoration
- The restoration time exceeds your organization's tolerance for downtime
- It doesn't include all critical data
The 3-2-1 rule provides a simple target: three copies of data, on two different media types, with one copy offsite or air-gapped. Cloud backup services like Backblaze, Wasabi, or iDrive can fulfill the offsite requirement at low cost. Testing restoration quarterly — actually pulling data back and verifying it's intact — is what most organizations skip, and it's the thing that determines whether the backup has any value when you need it.
control 3: patch management
Unpatched software is the most consistently exploited condition in breach data, year over year. Known vulnerabilities with available patches are being exploited in production environments months and years after the patches were released.
Effective patch management requires:
- An accurate inventory of what software and systems you're running
- A defined process for testing and applying patches on a regular schedule
- A shorter schedule (24–72 hours) for critical/actively-exploited vulnerabilities
- Particular attention to internet-facing systems — these are attacked first
CISA maintains a Known Exploited Vulnerabilities (KEV) catalog — a list of vulnerabilities confirmed to be actively exploited in the wild. For organizations that can't patch everything immediately, this catalog provides a prioritized list of what's most urgent. It's free, authoritative, and updated regularly.
control 4: email security
Phishing is the dominant initial access vector in breach data — consistently responsible for between a third and half of all successful intrusions. Three email authentication standards dramatically reduce spoofing-based phishing:
| Standard | What It Does | Implementation Effort |
|---|---|---|
| SPF | Specifies which servers are authorized to send email from your domain | Low — single DNS record |
| DKIM | Cryptographically signs outbound email to verify authenticity | Low-Medium — DNS record + mail server config |
| DMARC | Defines policy for what to do when SPF/DKIM checks fail; provides reporting | Low — single DNS record (start with p=none) |
These three records, properly configured, prevent most spoofed-domain phishing against your users and protect your domain from being used to send spam.
control 5: endpoint detection and response (EDR)
The previous four controls are largely preventive. This one is about detection — finding attacks that get through prevention. EDR tools provide visibility into what's happening on endpoints: what processes are running, what network connections are being made, what files are being modified.
The market has made meaningful progress on cost here. Microsoft Defender for Business is included in Microsoft 365 Business Premium. CrowdStrike Falcon Go, SentinelOne, and Malwarebytes for Teams are other options in the sub-$10/endpoint range. Free, open-source options like Wazuh exist for organizations willing to invest more implementation time than money.
The detection problem: EDR generates alerts. Alerts require someone to look at them. An EDR implementation with no one monitoring it provides limited protection. This is where a managed detection layer bridges the gap between tooling and actual coverage.
the order matters
If you're starting from a low security baseline, the sequence in which you implement these controls matters:
- MFA on all email and remote access — This closes the highest-volume attack path immediately. Do this first, before anything else.
- Verified, tested backups — Before you've had a chance to implement the other controls, you want a recovery path.
- Email authentication (SPF, DKIM, DMARC) — Closes the spoofing attack surface. Low effort, high impact, no cost.
- Patch critical systems — Start with your perimeter: firewalls, VPN appliances, email systems. Check the CISA KEV catalog for prioritization guidance.
- Deploy EDR with monitoring — Add visibility once the first four controls are in place and the noise floor from preventable attacks is reduced.
This is not a complete security program. An organization that implements all five of these controls has not eliminated risk — they have meaningfully reduced it and addressed the most common attack paths. The next layer involves network segmentation, identity governance, security awareness training, and incident response planning. But none of that matters until the foundation is solid.
Start here. Get these right. Then build.