Essential Cybersecurity Practices for Businesses

Enforce Multi-Factor Authentication on Everything

Multi-factor authentication (MFA) requires a user to verify their identity with something they know (a password) and something they have (a code from an app, an SMS, or a hardware token). Even if an attacker obtains a valid password — through phishing, a data breach, or brute force — MFA prevents them from using it.

MFA should be mandatory on every system that carries business data or controls business processes: email (this is the most critical), cloud storage, accounting software, banking portals, remote desktop access, CRM systems, and any admin console. The implementation cost for most cloud services is zero — it's a settings toggle. The protection it provides is enormous. A business that has MFA enabled across all critical systems eliminates the majority of credential-based attack risk at no cost.

• Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) are more secure than SMS codes, which can be intercepted via SIM swap. Use app-based MFA wherever available.
• Backup codes should be stored securely offline when setting up MFA — losing access to the authenticator device without backup codes can lock administrators out of critical systems.
• Never allow MFA to be bypassed "for convenience." Every exception is a gap.

Implement the Principle of Least Privilege

The principle of least privilege means every user, system, and application should have access only to the specific data and systems required for their role — nothing more. A junior accounts clerk does not need access to the HR database. A sales representative does not need administrator access to the file server. A customer-facing web application does not need write access to the entire database.

Overly permissive access is dangerous because it converts a single compromised account into a wide-open door. When a phishing attack succeeds against a staff member with administrator-level access, the attacker inherits those permissions and can cause maximum damage. When it succeeds against an account with limited, role-specific access, the blast radius is contained.

• Conduct an access review at least twice per year — ask: does this person still work here? Does their current role still require this level of access?
• Create a formal joiner-mover-leaver process: access is granted at onboarding, adjusted at role changes, and revoked on the same day as departure — not days or weeks later.
• Separate administrator accounts from daily-use accounts. Nobody should browse the internet or read email with a domain administrator account.

Deploy a Password Manager Organisation-Wide

The average person manages dozens of accounts. Faced with this volume, humans inevitably reuse passwords — the same password (or a minor variation) used across email, banking, social media, and business systems. When any one of those services suffers a data breach and the password is leaked, every other account using it becomes immediately vulnerable.

A password manager solves this by generating and storing a unique, long, random password for every account, requiring the user to remember only one master password. Business-grade password managers (Bitwarden for Teams, 1Password Business, Keeper) also allow shared vault access for team credentials, audit logs of who accessed what, and emergency access procedures. The cost for a full team is typically $3–5 per user per month and eliminates one of the most common attack vectors entirely.

Patch and Update Every System — Without Exception

Software vulnerabilities are discovered constantly — in operating systems, in applications, in firmware. When a vulnerability is discovered and a patch is released, attackers immediately begin scanning for systems that haven't applied it. The window between a patch release and an active exploit targeting unpatched systems is often measured in days, not months.

Automatic updates should be enabled on every device under your control — Windows, macOS, Android, iOS, and every application on them. This includes accounting software, browsers, PDF readers, and any other application that handles business data. The inconvenience of a scheduled restart is trivial compared to the consequence of a ransomware attack exploiting a three-month-old unpatched vulnerability. If automatic updates are disabled "to avoid disruptions," those disruptions are being deferred to a far more damaging event.

• Establish a monthly patching cycle for any systems where automatic updates aren't feasible — servers, specialised equipment, and legacy systems.
• Any device running an end-of-life operating system (Windows 7, Windows 8.1, Android below version 10) should be treated as compromised — it is receiving no security updates and should be immediately replaced or isolated from the network.

Enable Full Disk Encryption on All Devices

Full disk encryption ensures that if a device is stolen, lost, or accessed by an unauthorised person, the data on it is completely unreadable without the correct credentials. For a business laptop left in a taxi in Accra or a phone stolen at an event, encryption is the difference between a hardware replacement and a data breach.

Windows devices use BitLocker (built into Windows Pro and Enterprise, free to enable). macOS devices use FileVault (also free, enabled in System Preferences). Android and iOS devices encrypt by default when a PIN or passcode is set — enforce this on all staff phones that access business email or data. Enabling encryption on existing devices takes minutes and has no impact on daily performance on modern hardware.

Implement Endpoint Detection and Response (EDR)

Traditional antivirus software detects known malware by matching against a database of signatures. Modern attacks increasingly use techniques that evade signature-based detection — fileless malware, living-off-the-land attacks, and zero-day exploits. Endpoint Detection and Response (EDR) solutions use behavioural analysis to detect suspicious activity rather than relying solely on known signatures, and they provide the visibility and response tools needed to contain an incident when one occurs.

For most Ghanaian SMEs, the right starting point is Microsoft Defender for Business (included in Microsoft 365 Business Premium) or a dedicated solution like CrowdStrike Falcon Go, SentinelOne, or Malwarebytes for Teams. The difference between basic antivirus and EDR is the difference between a smoke detector and a full alarm system with a monitoring service — both detect fire, but one tells you about it much earlier and with far more context.

Follow the 3-2-1 Backup Rule

The 3-2-1 rule is the industry-standard framework for backup resilience: keep 3 copies of your data (the original plus two backups), on 2 different types of storage media (such as an external hard drive and a cloud service), with 1 copy stored off-site (either in the cloud or at a physically separate location). This architecture ensures that no single failure — hardware fault, ransomware infection, theft, or fire — can destroy all copies simultaneously.

• Cloud backup services suitable for Ghanaian SMEs include Backblaze Business Backup, Acronis Cyber Backup, and Azure Backup. Most cost between $5–15 per device per month.
• Backup frequency should match how much data loss the business can tolerate. Critical business data (financial records, client databases, active projects) should be backed up daily at minimum — hourly for high-transaction businesses.
• Ransomware-resistant backups must be either air-gapped (physically disconnected) or immutable (the cloud service prevents overwriting backup data for a defined retention period). A backup that is continuously connected to the network can be encrypted by ransomware alongside the primary data — making it worthless at the moment you need it most.

Test Your Backups — They Mean Nothing Until Proven

An untested backup is a hypothesis, not a safety net. The most common disaster recovery failure pattern is a business discovering during an actual incident that their backups were misconfigured, incomplete, corrupted, or covering a different set of data than intended. By the time this is discovered, it is too late to fix.

Schedule a backup restoration test at least quarterly. Pick a random selection of files and attempt to restore them to a test environment. Verify that the restoration completes successfully and that the restored data is intact and usable. Document the result. For business-critical systems — your accounting database, your CRM, your active project files — do this monthly. The test takes an hour; discovering the backup is broken during a crisis takes everything.

Separate Your Networks: Staff, Guest, and IoT

Running a single flat network — where your staff computers, guest Wi-Fi, smart TVs, CCTV cameras, and visitor devices all share the same network segment — means a compromised device in any of those categories can see and potentially reach everything else. Network segmentation uses VLANs or separate SSIDs to isolate these categories from each other.

At minimum, your business should have three separate networks: a staff network for all business devices and systems (no guest access, WPA3 or WPA2-Enterprise if possible), a guest network for visitor devices and customer-facing Wi-Fi (internet access only, no visibility into the staff network), and an IoT / device network for printers, CCTV, smart TVs, and any other networked hardware (isolated from both staff and guest). Most modern business routers and access points support this configuration without additional hardware cost.

Secure Remote Access with a VPN

Remote Desktop Protocol (RDP) exposed directly to the internet is one of the most reliably exploited attack surfaces in business security. Automated scanners probe for RDP on port 3389 continuously — the moment a business opens RDP to the internet, it begins receiving brute-force login attempts within minutes. The same applies to any other remote administration protocol exposed without a protective layer.

Any remote access to your business network should be channelled through a VPN (Virtual Private Network) that authenticates the user before they can even attempt to connect to internal systems. Business VPN solutions appropriate for Ghanaian SMEs include Tailscale (simple, zero-config, free for small teams), Wireguard (open source, excellent performance), and Cisco AnyConnect (enterprise-grade, for larger deployments). Never expose RDP, SSH, or management interfaces directly to the internet — always place them behind VPN access.

Use DNS Filtering to Block Malicious Sites

DNS filtering intercepts requests to malicious, phishing, or inappropriate websites at the DNS resolution stage — before the device even loads the page. It is one of the most cost-effective network security controls available, requiring no client software installation and providing protection for every device on the network, including smartphones and IoT devices.

Cloudflare Gateway (free for basic use), Cisco Umbrella, and Quad9 (free, privacy-focused) all offer DNS filtering services that can block known phishing sites, malware distribution infrastructure, and command-and-control servers used by malware that has already been installed on a device. Configuring DNS filtering takes 15 minutes and requires only changing the DNS server settings on your router.

Train Staff to Recognise Phishing and BEC

A single phishing awareness session at onboarding is not security training — it is a box-ticking exercise. Effective security awareness is continuous, practical, and tested. Staff need to know how to identify suspicious emails (unexpected sender, urgency, unusual payment requests, mismatched domains), what to do when they encounter one (report it, do not click), and that they will never be penalised for raising a concern about a suspicious message — even if it turns out to be legitimate.

The most impactful training involves simulated phishing exercises — controlled fake phishing emails sent to your own staff to test how many click and then deliver targeted education to those who do. Platforms like KnowBe4, Proofpoint Security Awareness, and the free Google Phishing Quiz provide this capability. The results of these exercises consistently show that even security-conscious teams have click rates of 10–30% on well-crafted simulations — before training. After regular training and testing, that number drops dramatically.

Establish a Payment Verification Protocol

Business Email Compromise attacks specifically target payment processes — a fraudulent email appearing to come from your CEO, CFO, or a known supplier requests an urgent payment to a new bank account. These attacks succeed because the request looks credible and staff feel pressure to comply quickly without verification.

The defence is a mandatory out-of-band verification protocol: any payment instruction received by email — particularly for a new payee, a changed account number, or an unusually large amount — must be verified by a separate communication channel (a phone call to a known number, a face-to-face confirmation) before it is processed. This protocol must be non-bypassable regardless of who appears to be making the request or how urgent it appears. The three-minute phone call has prevented losses in the tens of thousands of Ghana Cedis. Skipping it has cost businesses far more.