Powered by

# Protect Overview

# Goal

The Protect section of the playbook is where the company turns what it has learned into real safeguards.

By this point, the company should have assessed its risks and identified its important data, assets, systems, accounts, and dependencies. The next step is to reduce the chance that those things can be misused, exposed, damaged, or taken offline.

For a SME, protection needs to be practical. The company may not have a large security team or enterprise budget, but it can still make itself much harder to attack. Strong access control, MFA, reliable backups, secure device settings, patching, system hardening, safer networks, and better data handling all reduce real-world risk.

# Key Protection Steps

The Protect section defines the safeguards the company uses to reduce the likelihood and impact of cybersecurity incidents.

This section focuses on practical controls that protect accounts, devices, systems, data, applications, cloud services, backups, networks, and remote access.

# 1. Identity and Access Management

Goal:

Identity and Access Management (IAM) establishes clear controls for how users, administrators, vendors, contractors, and service accounts access company systems and data.

Includes:

This section covers implementing MFA, password managers, least privilege, admin account separation, user provisioning, user deprovisioning, access approval, vendor access, contractor access, service accounts, shared account restrictions, emergency access, and regular access reviews.

# 2. Backup Regimes and Recovery Readiness

Goal:

Establish backup practices that protect the company from ransomware, accidental deletion, data corruption, system failure, and service disruption.

Includes:

This section covers backup scope, backup frequency, 3-2-1 backup structure, offline or immutable backups, SaaS backups, backup encryption, backup access control, backup monitoring, restore testing, backup ownership, and backup documentation.

# 3. Systems Hardening and Secure Configuration

Goal:

Reduce unnecessary exposure by applying secure settings to company systems, applications, devices, cloud platforms, SaaS tools, and network equipment.

Includes:

This section covers secure configuration baselines, removal of unnecessary software, disabling unused services, local admin restrictions, screen locks, disk encryption, browser security settings, Microsoft 365 or Google Workspace hardening, server hardening, firewall hardening, router hardening, and secure configuration of business-critical systems.

# 4. Vulnerability and Patch Management

Goal:

Create a repeatable process for fixing known weaknesses before attackers use them.

Includes:

This section covers operating system updates, software patches, browser updates, firmware updates, emergency patching, internet-facing vulnerabilities, unsupported systems, end-of-life software, patch ownership, patch timelines, exception handling, and verification that patches were applied.

# 5. Endpoint, Server, and Mobile Device Protection

Goal:

Protect the devices and servers used to access company systems and data.

Includes:

This section covers endpoint protection, EDR or antivirus, anti-malware controls, device encryption, approved device rules, mobile device controls, remote wipe, lost-device handling, removable media restrictions, local firewall settings, safe software installation, remote worker device protection, and protection of company servers.

# 6. Email, Web, Cloud, and SaaS Protection

Goal:

Protect the platforms where employees communicate, store files, manage customers, process payments, and run daily work.

Includes:

This section covers email filtering, SPF, DKIM, DMARC, malicious link protection, attachment controls, SaaS admin security, external sharing restrictions, OAuth app control, cloud storage permissions, browser protection, website CMS security, domain registrar protection, and security settings for accounting, CRM, payroll, HR, project management, and file storage platforms.

# 7. Network, Remote Access, and Internet Exposure Protection

Goal:

Protect the company network, remote access paths, Wi-Fi, and internet-facing systems.

Includes:

This section covers firewall configuration, secure Wi-Fi, guest network separation, VPN security, remote desktop restrictions, secure DNS filtering, router and firewall admin controls, network segmentation, exposed service review, protection of public-facing systems, and access controls for remote workers.

# Protect Section Table of Contents

  1. Identity and Access Management

  2. Backup Regimes and Recovery Readiness

  3. Systems Hardening and Secure Configuration

  4. Vulnerability and Patch Management

  5. Endpoint, Server, and Mobile Device Protection

  6. Email, Web, Cloud, and SaaS Protection

  7. Network, Remote Access, and Internet Exposure Protection

© Copyright 2026. All rights reserved.