In approximate order of importance:

‍

1. Use multifactor authentication on everything—preferably using an app that generates one-time passwords instead of SMS messages—or even better, use a physical security key. We recommend Ente Auth for generating one-time passwords and Yubico for physical security keys.
   
   Wondering what multifactor authentication (MFA) is? MFA is the requirement to use multiple "factors" to prove your identity during authentication to a service, for example, requiring both a password and a one-time code sent to your phone to log in to an account. In technical terms, the factors are "something you know," "something you have," and "something you are." The factors can be met with "authentication methods" such as a password, a fingerprint, access to a physical device, etc. It is important to remember that for an authentication flow to count as multifactor, two different authentication methods that belong to the same factor do not count. For example, using two passwords or a fingerprint plus facial recognition does not count as multifactor.
   ‍‍
2. Use a password manager to keep track of credentials and allow for different, long passwords on every account. We recommend Bitwarden or 1Password. Avoiding password reuse and not using similar passwords minimizes the blast radius of one compromised account. Any hacker will try your password, and variations of it, in any service they think you might use.
   
   Password managers allow you to keep track of many more passwords than you could hope to with just your mind, and they can autogenerate secure passwords. They can autofill your usernames and passwords on the login pages of most websites, making them extremely convenient.
   
   Securing your password manager properly is essential. Make sure to enable multifactor authentication for your password manager and use authentication methods you will not lose. One of those authentication methods will be a master password, which you should use a trusted password tester to ensure it is hard to crack. The Bitwarden Password Tester is a useful tool for this: https://bitwarden.com/password-strength/.
   ‍‍
3. Make automatic daily backups of your data. This includes computers, servers, and some online accounts such as Google Workspace accounts, Microsoft 365 accounts, Quickbooks Online, etc. If you can, it is always best to follow the 3-2-1 rule of backups—three copies of your data, two of which are backups, with one backup stored off-site.
   ‍‍
4. Adhere to the principle of least privilege, i.e., give every user account the least access necessary for the individual using it to do their job. This minimizes the impact of an account compromise. It also reduces insider risk.
   ‍‍
5. Maintain written and well followed onboarding and offboarding processes for new and leaving team members. Doing so reduces the chances of missing important steps to remove access to your valuable data and resources, or your critical IT systems. An onboarding procedure also helps your new hires hit the ground running with the IT resources and data access they need.
   ‍‍
6. Write a security incident response plan. A security incident response plan improves your preparedness for security incidents.
   ‍‍
7. Hold regular reviews and rehearsals of your incident response plan. Reviews/rehearsals make sure you and your team are ready to respond when the time inevitably comes.
   ‍