Patch Applications: Updating third-party software (like Chrome, Office, or Zoom) within 48 hours for critical bugs.

Patch Operating Systems: Keeping Windows or macOS up to date to close security holes in the core system.

Application Control: Creating a "VIP list" for software; only approved programs are allowed to run, blocking all unknown malware.

Configure Microsoft Office Macro Settings: Disabling or restricting the automated scripts (macros) that are frequently used in phishing emails to deliver ransomware.

Restrict Administrative Privileges: Ensuring staff only use "standard" accounts for daily work and that "Admin" rights are strictly limited to technical tasks.

Multi-Factor Authentication (MFA): Requiring a second form of ID (like an app or a physical key) so that a stolen password isn't enough for an attacker to log in.

User Application Hardening: Disabling risky features in browsers and PDF viewers (like Java or web ads) that serve as common entry points.

Regular Backups: Keeping disconnected, tested copies of all data so the business can restore everything without paying a ransom.