52 Laws for Cybersecurity, Business & Life

After receiving so much positive feedback and comments to a LinkedIn posts, I have decided to consolidate post and comments into a blog post. For reference here is a link to the original post. The list is in no particular order but are all important cybersecurity items.

1. Yes your Microsoft/Google/Other Cloud data does need to be backed up
2. Yes your Mac does need Anti-Virus.
3. Yes you do need to train your staff on cybersecurity basics.
4. Having an IT Helpdesk does not make you an MSP.
5. Compliance tick box exercises is not the answer.
6. You can’t outsource your own accountability.
7. Yes even small businesses need IT security.
8. Yes you need to check & test your backups.
9. Zero trust principles is not just a saying it actually works.
10. 90% of Cyberattacks can be stopped by doing the basics.
11. Cybersecurity is not a one-time project—it’s an ongoing process.
12. Insider threats are just as dangerous as external ones.
13. Mobile devices also need proper security controls.
14. 3-2-1 backup rules every time.
15. phishing-resistant MFA, immutable/tested backups
16. fix misconfigs/default creds,
17. keep good logs & run drills
18. Use CISA’s cloud baselines as your minimum…
19. The boring basics win!
20. Yes, weekly or monthly, 15 minutes of basic training can stop 50% of attacks, which happens from inside in a protected environment.
21. Check AD for vulnerabilities and bad configurations by running PingCastle ( it’s free!!! )
22. Use a vulnerability scanner on your servers to mitigate risk of unpatched software.
23. Use the tools to their full extents and you won’t need to pay for super high-end products and services
24. Get the basics sorted to the max extent to reduce risks and administrative overhead
25. You can’t buy a product to fix a process problem.
26. MFA is the single biggest security win for the least amount of effort.
27. Admin access should be treated like a nuclear launch code
28. Your greatest threat isn’t a complex hack, it’s an employee clicking a bad link.
29. Just because a tool is new doesn’t mean it’s the right one for your small business.
30. Update, update, update! ! Always fix the easy stuff first!
31. Yes, your owner/director/board needs to give a sh*t
32. Out of scope for you does not mean out of scope for the criminals
33. You can’t outsource your own accountability.
34. Log outgoing firewall traffic as well; You can more easily see (and then block) C2 traffic and outgoing data theft.
35. Yes your MAC already has Anti-Virus integrated (Xprotect)
36. It’s all business risk.
37. Just because it’s cloud or a “well known” solution doesn’t mean it’s secure
38. Not everyone needs to be a local administrator.
39. Programs you don’t need should be removed to reduce vulnerability exposure…
40. Phishing simulations are not just for compliance; they build resilience.
41. You can’t protect what you don’t know — maintain an up-to-date asset inventory.
42. Security tools don’t replace processes or skilled people.
43. Least privilege isn’t a theory — it’s one of the strongest defences.
44. Cloud misconfigurations cause more breaches than hackers do.
45. Incident response plans should be rehearsed, not written and forgotten. Tabletop exercise is best method for this.
46. Logs have no value if nobody is looking at them.
47. AI tools can boost security — and also be used against you.
48. Compliance ≠ Security. Trust but verify.
49. Threat actors don’t work 9 to 5 — your defences shouldn’t either.
50. Encryption for data at rest and data in transit. Long password policy. MFA. Tested backups.
51. Documentation that is clear and up to date is the best way to ensure your team can become skilled in their assigned roles.
52. Yes, your employees are your first line of defence AND your biggest vulnerability. invest in them accordingly.

Thank you to everybody who contributed to this list, I will hopfully update this from time to time and maybe even organise this list better, but for now hopefully this list will help some bussinesses.