Apply security patches – Patch everything! This includes operating systems, devices, and application software.

Information security training – Have a formal ongoing security training and phishing testing program for everyone, employees, management and contractors.

Activate Anti-Virus technology – Whether it is built-in or purchased third-party for servers, workstations, and mobile devices.

Backup business data and key systems - Keep multiple copies online and offline (geographically diverse) Replication is not a backup.

Remediate Compromised Devices - Be prepared to re-image & recover compromised devices.

Deploy a Next-Generation application aware firewall with TLS (SSL) decryption and traffic inspection – Manage and inspect all traffic using application detection and control. Configure the firewall to detect DNS exploits. 

Information Security Policy – Business defined controls for managing, protecting, and sharing sensitive information and a framework for security operations.

Identify business applications and priority – Identify and prioritize key business applications and cloud services. Plan appropriate systems reliability and operations management.

Identify business data resources – Know what data and data repositories you have, where it resides and who has access. Periodically audit user access to data and systems.

Identify IT assets – Know what is connected to your network, this includes servers, workstations, printers, routers, switches, phones, time clocks, alarm systems, sensors, IoT devices, or any device with communication capability.

Enable logging on all capable devices – Logs do not provide real time detection, but are vital for a post incident analysis.

Investigate production system failures for root cause – Identify either security compromise or system failure.

Have an Incident Management plan – Have a documented plan for managing security issues from small events to large incidents. Include internal and external communications plans for escalation.

Have an Information Systems Business Recovery Plan – Have a plan for managing business systems interruption, and how you will recover in an emergency, with timelines that fit the business.

Have Cyber Insurance – Be prepared to have help when larger incidents occur.

Revisit all of the above, at minimum, annually - Technology and the threats are constantly changing, confirm that your protections are still relevant.