Many organisations intend to improve security but never quite decide where to start. A defined 30 day plan focuses effort and ensures visible progress. This article outlines a practical timeline for hardening a small business environment without trying to change everything at once.
Week 1 – Gain visibility and secure accounts
The first week focuses on understanding what you have and tightening identity.
- Inventory critical systems – email, file storage, key applications, VPNs, public facing websites.
- List all administrator accounts for those systems.
- Enable MFA on administrative accounts for email, VPN, and cloud portals.
- Remove unused admin accounts and shared logins.
Week 2 – Patch management and device protection
The second week addresses some of the most common technical weaknesses.
- Update operating systems on servers, laptops, and desktops.
- Update major applications and browser versions.
- Ensure endpoint protection is installed and active on managed devices.
- Enable disk encryption on laptops and mobile devices where supported.
Week 3 – Backups, email, and web exposure
In week three you focus on resilience and your public facing attack surface.
- Implement or review daily backups for critical systems and data.
- Store at least one backup copy separate from your main environment.
- Review your email configuration, including SPF, DKIM, and DMARC settings.
- Review access to any remote desktop or management services exposed to the internet.
Week 4 – Documentation, policies, and routine
The final week converts one time improvements into ongoing practice.
- Document what you have changed and where key settings are located.
- Define a monthly patch window and assign an owner.
- Draft short, focused policies for account use, remote work, and data handling.
- Plan a quarterly access review and an annual backup restore test.
Keeping the plan realistic
Not every environment can follow this plan exactly. You may need to adjust for legacy systems, vendor constraints, or limited internal resources. The important point is that each week has a clear theme and a defined outcome rather than a vague intent to “improve security”.
The Baseline Security Sprint is built on this kind of structure. It applies a disciplined 30 day approach to your actual environment and leaves you with both improved controls and the documentation to maintain them.
Next step: if you would like to adapt a 30 day hardening timeline to your organisation, a short discovery call can help clarify scope, constraints, and the most effective order of work.