So, you’ve started up a new business. Perhaps there’s two, three, maybe four of you and you’re trying to figure out where to start with IT. There’s a lot of IT solutions vying for your attention and so much more information out there covering every aspect of IT security. It can be a daunting task figuring out what you should prioritise. 

Here at Nutbourne, we always say that there are four key things needed for IT security. These are the IT security techniques that are non-negotiable. The things where, if you don’t have them in place, you’re just asking for trouble. You will be vulnerable to cyber-attacks, having your customers’ data stolen and could suffer irreparable reputational damages. 60% of small businesses permanently shut down within 6 months of an attack, so it is incredibly important to start out on the right foot. 

In the event of a critical attack, anyone that comes looking for information, be it insurance companies or the Information Commissioner’s Office (ICO), will not look favourably upon you should you not have these measures in place. It is similar to leaving your front door unlocked. Insurance companies won’t pay out for a break-in if you haven’t followed their security guidelines. 

On top of this, you could fail many steps towards Cyber Essentials, BSI (British Standards Institute) and ISO (International Organization of Standards) certifications due to lax IT security. These certifications may be key to helping you secure new customers, especially those in the public sector who can often only work with companies that achieve these standards. If you want those lucrative government contracts, you have to follow their rules. 

Without further ado, let’s see what your first steps for IT security should be. 

The 4 Key Things Needed for IT Security 

  1. Endpoint Protection 

Endpoint protection is the evolution of antivirus software. Whilst antivirus is important, it is very ‘one-note’ compared to more modern solutions. You can now do things like controlling what content can be accessed on the web, what gets downloaded and it also scans the data before it gets downloaded as well. One of the key differences between standard antivirus and endpoint protection is the addition of heuristics. This is when whatever is downloaded is read by the software to understand what it is, rather than just comparing it to a list of known viruses, like old solutions did. Furthermore, it will offer a certain amount of protection on emails as well, although that is so important that it deserves its own category. 

  1. Email Security 

Everyone knows how much of a problem ransomware is in this day and age, as well as how our inboxes can get clogged up with spam emails. With email security you can kill two birds with one stone. An email filter will stop all unwanted emails before they ever make it to the inbox and with a 99.9% success rate, you shouldn’t be bothered by spam for much longer! 

More importantly, however, is stopping the malicious and targeted attacks that arrive via email. These may take the form of phishing, where someone is trying to steal your passwords. However, they could also get you to download a virus from a site, or simply have the virus as an email attachment. 

Email security can protect you from these attacks, which is ever more important as the prevalence of attacks rise and the fallout from the attacks is getting bigger. 

  1. Security Awareness Training 

You can take the utmost care with choosing the right software options for your company, but your staff are the most important part of your cybersecurity. Starting off, this could be a vulnerability for the company, but you can change it to another line of defence with the right training. For example, if a malicious email gets through to a user and they click on a link to a page asking for their login details, should they not be well versed in the ways of cyber-attacks, they may fill this form in, giving away precious security details. Training could mean that this is completely avoided, simply by the staff member knowing that it might not be legitimate.  

  1. Multi-Factor Authentication (MFA) 

Our 4th and final key security technique is using multi-factor authentication. You may know this as 2-factor authentication, or 2FA, but we say MFA to encompass this and remind you that 2FA is the absolute minimum that you should be using. This is a method in which you can only access a device or service by providing at least two different forms of authentication. One will usually be a password and then a further form of authentication could be entering a code that is sent to your email address or phone number. Alternatively, you could use biometric data, such as fingerprints or face detection. 

MFA is important as if someone gets your password somehow, they still will not be able to access your accounts, unless they have access to your other forms of authentication. While it is unlikely they would have access to your phone or email account to get a code, it would be nigh on impossible to have your face or fingers. 

This an incredibly easy step to comply with as most services will have a simple option that you can tick to enable 2FA. Some people may still see this as an inconvenience and whilst this is partly true, in terms of it taking an extra couple of seconds to login sometimes, the added security far outweighs the inconvenience. Also, it is a lot more convenient than someone getting unauthorised access to your data! 


We know we said 4 key things every company needs, but this is kind of an unofficial 5th one that encapsulates the others. Once you have all of these IT security fundamentals in place, you should lay out some rules for your IT use. There’s no point in getting it all in place and then not enforcing it. Write the policies down. Ensure all staff read and understand the policies, documenting evidence that they have done so. 

Contact Nutbourne 

Of course, this is all a great for getting started with IT security, but there’s a lot more you could be doing to stay protected. With so much on the line, it is certainly worth reducing your chance of falling foul of an attack. 

So, if you’d like to find out more about our cybersecurity services or our work more generally as a London managed service provider, then get in touch! Contact Nutbourne today on +44 (0) 203 7273 or by filling out an enquiry form on our website.