No business is too small to attract cybercriminals. In fact, small and medium-sized businesses (SMBs) are often more appealing targets for ransomware than large, established enterprises. Limited resources, combined with access to valuable customer data, make them particularly vulnerable.
One of the most persistent blind spots is the assumption that security is somehow built in simply because modern tools or cloud platforms are in use. Many organisations believe that adopting platforms like Microsoft 365, Google Workspace, or Amazon Web Services (AWS) automatically ensures a strong security posture. It does not.
The majority of breaches stem not from advanced hacking, but from weak security architecture, poor design decisions, and misconfigurations.
Attempting to bolt on security after the fact—especially to defend against both sophisticated threats and everyday mistakes—is not only difficult, but costly and often ineffective. The most reliable and proven approach is to embed security from the outset: Security by Design.
When practising Security by Design, you should, at a minimum, apply the following principles consistently across your architecture, design, and implementation activities:
| Principle | Summary | Key Rule |
| Minimise attack surface area | Remove unnecessary features, endpoints, entry points. | Less code → fewer holes. |
| Establish secure defaults | Default configs must be secure out-of-the-box. | Deny by default. |
| Least privilege | Every component/user gets minimum privileges to function. | Keep once, not twice. |
| Separation of duties | No single actor has excessive authority. | Split critical functions across multiple actors. |
| Defence in depth | Layer independent security controls. | One failure ≠ system compromise. |
| Fail securely | On failure, default to closed (deny) state. | Never fail open. |
| Complete mediation | Every access request must be checked. | No cached decisions. |
| Economy of mechanism | Keep security-critical designs simple and small. | Simplicity > complexity. |
| Open design | No security by obscurity. | Assume attackers have your docs/code. |
| Zero Trust | Never implicitly trust internal/external services. | Verify everything. |
| Compartmentalisation | Isolate components. | Breach in one ≠ breach of all. |
| Protect data everywhere | Encrypt data at rest, in transit, and in-use. | Even during processing. |
| Design for secure updates | Systems must safely apply patches. | Update ability is a security feature. |