Your First 30 Days: From Zero to Basic Protection
You have decided to take cybersecurity seriously. Congratulations - that decision alone puts you ahead of many Belgian SMEs. This guide gives you a concrete, week-by-week plan to go from "where do I start?" to basic protection in just 30 days. No jargon, no overwhelming lists - just practical actions you can take today.
What You Will Achieve
By day 30, you will have implemented the essential security controls that protect against 80% of common cyber attacks. You will have documentation ready for compliance purposes, trained staff on security basics, and a clear path forward. This is not about perfection - it is about meaningful progress that protects your business.
Week 1: Assessment and Quick Wins
Know where you stand and secure the easy targets
The first week is about understanding your current situation and implementing the security measures that take minutes but block the most common attacks.
Security Assessment
Take inventory of your current security posture. You cannot protect what you do not know about.
- List all devices (computers, phones, tablets, servers) used for business
- Identify all software and cloud services your team uses
- Document who has access to what systems and data
- Note any existing security measures (antivirus, passwords, etc.)
Enable Multi-Factor Authentication (MFA)
MFA blocks 99.9% of automated attacks. This is your highest-impact quick win.
- Enable MFA on all email accounts (Microsoft 365, Google Workspace)
- Enable MFA on your banking and financial services
- Enable MFA on cloud storage (OneDrive, Google Drive, Dropbox)
- Use authenticator apps rather than SMS when possible
Update Everything
Outdated software is the #1 way attackers get in. Updates close these doors.
- Update all operating systems (Windows, macOS) to latest versions
- Update all browsers (Chrome, Edge, Firefox)
- Update Microsoft Office or other productivity software
- Enable automatic updates wherever possible
- Remove any software you no longer use
Milestone: By end of Week 1: MFA enabled on all critical accounts, all systems updated, and you have a clear picture of your IT environment.
Week 2: Core Security Controls
Build your defensive foundation
With quick wins secured, Week 2 focuses on implementing the core security controls that form the foundation of any protection strategy.
Antivirus and Endpoint Protection
Every device needs protection against malware. Modern solutions are lightweight and effective.
- Ensure all Windows computers have Windows Defender enabled and updated
- Consider Microsoft Defender for Business for centralized management
- Verify antivirus is running on all Macs (built-in or third-party)
- Enable real-time scanning and scheduled full scans
- Set up email notifications for detected threats
Firewall Configuration
Firewalls control what traffic can enter and leave your network.
- Verify Windows Firewall is enabled on all computers
- Check your router/modem firewall settings (contact provider if unsure)
- Disable remote management access on your router
- Change default passwords on network equipment
- Document your network layout for future reference
Backup Setup
Backups are your insurance policy. When (not if) something goes wrong, backups save your business.
- Identify critical business data (customer info, financials, documents)
- Set up automatic cloud backup (OneDrive, Google Drive, or dedicated backup)
- Follow the 3-2-1 rule: 3 copies, 2 different media, 1 offsite
- Test a restore - backups that cannot be restored are useless
- Document your backup schedule and locations
Milestone: By end of Week 2: All devices protected with antivirus, firewalls configured, and automated backups running for critical data.
Week 3: Access Control and Documentation
Who can access what, and how do you prove it?
Week 3 focuses on controlling access to your systems and creating the documentation that proves your security measures are in place.
Access Control Review
Limit access to only what each person needs. This contains the damage if one account is compromised.
- Review who has admin/owner access - minimize this list
- Remove access for anyone who has left the company
- Implement "least privilege" - people only get access they need
- Create separate accounts for admin tasks (do not use admin for daily work)
- Document who has access to what and why
Password Policy
Weak passwords are easy targets. A good policy makes attacks much harder.
- Require minimum 12-character passwords for all accounts
- Encourage passphrases (easier to remember, harder to crack)
- Implement a password manager for the team (Bitwarden, 1Password)
- Prohibit password reuse across services
- Never share passwords via email or chat
Security Documentation
Document what you have done. This is essential for compliance and continuity.
- Create a simple IT inventory document (devices, software, accounts)
- Write down your backup procedures and test dates
- Document your access control decisions
- Create a basic incident response plan (who to call when something goes wrong)
- Store documentation securely but accessibly
Milestone: By end of Week 3: Access rights reviewed and tightened, password policy implemented, core security documentation in place.
Week 4: Review, Train, and Plan
Lock in your progress and prepare for the future
The final week is about reviewing what you have built, training your team, and planning your next steps toward full compliance.
Security Awareness Training
Your team is your first line of defense. Brief training dramatically reduces human-error risks.
- Brief all staff on recognizing phishing emails (suspicious links, urgency, requests for credentials)
- Explain the importance of reporting suspicious activity
- Review the password policy and why it matters
- Cover physical security basics (locking screens, visitor protocols)
- Document that training occurred and who attended
Progress Review
Review everything you have implemented and identify any gaps.
- Go through your Week 1-3 milestones - what is complete?
- Verify MFA is working on all critical accounts
- Confirm backups are running and test another restore
- Check that all devices are updated and protected
- Document any incomplete items for follow-up
Next Steps Planning
Basic protection is achieved. Now plan your path to full compliance.
- Review the CyberFundamentals Small tier checklist - what is missing?
- Identify your next priority areas (often: email security, encryption)
- Consider whether you need external IT support for advanced items
- Set a date for your next security review (quarterly recommended)
- Celebrate your progress - you have significantly improved your security
Milestone: By end of Week 4: Team trained on security basics, all Week 1-3 controls verified, and a clear plan for continued improvement.
Connection to CyberFundamentals Small
This 30-day plan aligns with the CCB's CyberFundamentals Small tier - the baseline that every Belgian organization should meet. The 7 controls covered are:
| ID | Control | Covered In |
|---|---|---|
| S.1 | Malware Protection | Week 2: Antivirus setup |
| S.2 | Patch Management | Week 1: Updates and auto-updates |
| S.3 | Secure Authentication | Week 1: MFA enabled |
| S.4 | Access Control | Week 3: Access review and least privilege |
| S.5 | Backup | Week 2: Automated backups with 3-2-1 rule |
| S.6 | Network Security | Week 2: Firewall configuration |
| S.7 | Security Awareness | Week 4: Staff training |
Your 30-Day Checklist
Track your progress with this summary checklist:
Week 1
- Device/software inventory
- MFA on all critical accounts
- All systems updated
- Auto-updates enabled
Week 2
- Antivirus on all devices
- Firewalls configured
- Automated backups running
- Backup restore tested
Week 3
- Access rights reviewed
- Password policy implemented
- Password manager deployed
- Core documentation created
Week 4
- Staff security training
- All controls verified
- Gaps documented
- Next steps planned
Ready to Start Your 30 Days?
Easy Cyber Protection guides you through these 30 days with task-by-task instructions, automatic progress tracking, and evidence collection for compliance. Start free with the Small tier.
Frequently Asked Questions
What if I cannot complete everything in 30 days?
That is fine. The 30-day timeline is a guide, not a deadline. What matters is making consistent progress. If you need 45 or 60 days, take them. The goal is implementation, not speed. Focus on completing each step properly rather than rushing.
Do I need technical knowledge to follow this plan?
Basic computer literacy is enough for most tasks. Enabling MFA, updating software, and setting up cloud backups are designed to be user-friendly. For network configuration or complex setups, you might ask your IT provider for help - but many SMEs complete this plan themselves.
How much will this cost?
The CyberFundamentals Small tier can be implemented with minimal cost. Windows Defender is free, MFA is included with Microsoft 365 and Google Workspace, and basic cloud backup is often included in your existing subscriptions. A password manager costs around 3-5 EUR per user per month. The main investment is your time.
Is 30 days enough to be secure?
Thirty days is enough to achieve basic protection that blocks most common attacks. It is not enough for full compliance with higher CyberFundamentals tiers or comprehensive security. Think of it as building a solid foundation - you will continue building on it over time.
What happens after the 30 days?
After completing basic protection, you have several paths: maintain your current level with regular reviews, work toward CyberFundamentals certification, or progress to higher tiers (Basic, Important) if required by your sector. Our compliance roadmap guide covers the next steps in detail.
Related Articles
Sources
- CyberFundamentals Framework — Centre for Cybersecurity Belgium (CCB)
- MFA prevents 99.9% of account attacks — Microsoft Security Blog
- Shields Up - Cybersecurity Guidance — CISA (Cybersecurity and Infrastructure Security Agency)