Cybersecurity in 2025: A Practical Guide for IT Departments

Introduction

Cybersecurity is already top of the agenda for most IT departments. Use this document as a checklist to help ensure your IT technology stack and processes are secure throughout.

For IT departments and security teams with established processes, use this document to double check that the controls in place cover all the points mentioned in here

For IT departments and security teams looking to create security processes, put controls in place covering the points mentioned here.

Operational Controls

We've added references to the core technical controls below to show which ones align to SOC 2, ISO 27001, and NIST references.

Core Technical Controls

Access Management

• Enforce MFA for all users and admins. [SOC2][ISO A.5][NIST PR.AC]
• Role‑based access; least privilege; deny by default. [SOC2][ISO A.5][NIST PR.AC]
• Just‑in‑time elevation with expiry; session recording for admin tasks. [SOC2][ISO A.8]
• Quarterly entitlement reviews; remove dormant accounts in ≤7 days. [SOC2][ISO A.5]

Endpoint Security (Windows, macOS, Linux, Mobile)

• EDR deployed to 100% of managed endpoints with tamper protection. [SOC2][ISO A.8]
• Patch OS and high‑risk apps within SLA (Critical ≤7 days; High ≤14 days). [SOC2][ISO A.8][NIST DE.CM]
• Baseline hardening; device encryption; USB control; local admin removal. [ISO A.8]
• Verified, tested backups for key devices and servers; immutable copies. [SOC2][ISO A.5][NIST PR.DS]

Network and Zero Trust

• Adopt ZTNA for remote access; phase down VPN broad access. [SOC2][ISO A.8]
• Microsegmentation for servers and critical SaaS; block east‑west by default. [ISO A.8]
• DNS security, egress filtering, TLS 1.2+ everywhere. [SOC2][ISO A.8]
• WAF/API gateways in front of public apps; rate limiting and auth. [SOC2][ISO A.8]

Data Protection and Governance

• Data inventory and classification; label regulated data. [SOC2][ISO A.5]
• Encryption at rest and in transit; central key management; secrets rotation. [SOC2][ISO A.8]
• Backups with immutability and offline copy; recovery tests ≥ quarterly. [SOC2][ISO A.5]
• Data residency and transfer controls for regulated regions. [ISO A.5]
• Ensure databases and files on servers should be replicated, mirrored, or ideally both

API, website, and Application Security

• Inventory APIs; authenticate with OAuth2/OIDC; block anonymous writes. [SOC2][ISO A.8]
• Input validation, object‑level auth, and schema enforcement. [ISO A.8]
• Rate limiting; bot and DoS protection; full request logging. [SOC2][ISO A.8]
• Pre‑prod security testing (SAST/DAST), secrets scanning in CI/CD. [SOC2][ISO A.8]

Monitoring and Incident Response

• Centralised logs (auth, admin, EDR, firewall, cloud, SaaS); 90‑day hot; 365‑day cold. [SOC2][ISO A.8][NIST DE.AE]
• Alert tuning for credential abuse, ransomware patterns, data exfiltration. [NIST DE.CM]
• IR playbooks: phishing, ransomware, insider, vendor breach; owners assigned. [SOC2][ISO A.5][NIST RS]
• Tabletop tests ≥ semi‑annual; post‑mortems with action tracking. [SOC2][ISO A.10]

Governance, Risk, and Compliance

Mappings: Policies support SOC 2 Common Criteria; ISO 27001 Annex A controls; NIST CSF Identify/Protect/Detect/Respond/Recover.

People and Process

• Security awareness for all staff; phishing; clear reporting path.
• HR‑IT joiner/mover/leaver automation; access removal within 24 hours.
• Admin access gated by approvals and expiry; activity recorded.
• Employee Cybersecurity Manual

2025 Priorities

• AI threats: deepfake phishing; automated credential stuffing; model abuse. Controls: strong verification for payments/approvals; anomaly detection on auth.
• Cloud posture: CSPM/SSPM; least privilege; secret scanning; baseline guardrails.
• SaaS governance: SSO/MFA enforced; admin scope minimised; export and sharing policies.
• Supply chain: SBOM where feasible; dependency monitoring; vendor breach playbook.

90‑Day Implementation Plan

One‑Page Checklist

• All internet‑facing services inventoried and scanned monthly
• Default deny for inbound; egress controlled
• Secrets rotated; no hard‑coded credentials
• Payment and approval changes verified out‑of‑band
• Critical alerts reach on‑call within 2 minutes