Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.diekerit.com/llms.txt

Use this file to discover all available pages before exploring further.

A solid IT security strategy goes beyond installing antivirus software. It requires a combination of technical controls, organizational processes, and a security-aware culture. The practices in this guide help you build a resilient foundation that protects your data, meets regulatory requirements, and keeps your operations running when things go wrong.

Regular backups

Data loss can result from ransomware, hardware failure, accidental deletion, or natural disasters. Regular, tested backups are the most reliable way to ensure business continuity.
1

Define your backup schedule

Determine how frequently critical data changes and back up accordingly. For most businesses, daily incremental backups with weekly full backups provide a good balance of coverage and storage cost.
2

Store backups in multiple locations

Follow the 3-2-1 rule: three copies of your data, on two different media types, with one stored offsite or in a secure cloud environment.
3

Test your recovery process

A backup that has never been tested is an untested assumption. Run restore drills at least quarterly to confirm your recovery time objectives (RTOs) are achievable.
4

Protect backups from ransomware

Use immutable backups or air-gapped storage so ransomware cannot encrypt or delete your backup copies.

Employee training and phishing awareness

Your employees are both your greatest asset and your most targeted attack surface. Attackers use phishing, pretexting, and social engineering because these tactics work — especially against untrained staff.

Phishing simulations

Run simulated phishing campaigns to measure how staff respond and identify who needs additional training.

Security awareness training

Conduct regular, role-based training sessions covering phishing, password hygiene, data handling, and incident reporting.

Clear reporting channels

Make it easy for employees to report suspicious emails or incidents without fear of blame. Early reporting limits the damage of an attack.

Onboarding security training

Include security training as a mandatory part of onboarding so new employees understand expectations from day one.
Short, frequent training sessions are more effective than annual workshops. Aim for monthly micro-trainings or security newsletters to keep awareness high.

Network segmentation

Flat networks give attackers unrestricted lateral movement once they gain a foothold. Segmentation limits the blast radius of a breach by isolating systems that do not need to communicate.
  • Corporate vs. guest Wi-Fi: Never let visitors onto the same network as your internal systems.
  • Production vs. development: Keep development and test environments isolated from production data.
  • Finance and HR systems: Restrict access to sensitive systems to only the users and devices that require it.
  • IoT and operational technology: Printers, cameras, and smart devices should be on a dedicated VLAN.

VPN for remote workers

Remote access without a VPN exposes your internal systems to interception and unauthorized access. A VPN encrypts traffic between the employee’s device and your network.
A VPN alone is not sufficient. Combine it with MFA and endpoint security controls to protect remote access effectively.
1

Choose a business-grade VPN solution

Select a solution that supports MFA, provides centralized logging, and is actively maintained with security patches.
2

Enforce VPN use for all remote access

Configure policy so that employees cannot access internal resources — email, file shares, business applications — without first connecting to the VPN.
3

Use split tunneling carefully

Split tunneling reduces bandwidth load but can route internet traffic outside the VPN. Evaluate the risk before enabling it and apply DNS filtering to protect unencrypted traffic.

Incident response planning

When a security incident occurs, the cost of the breach is heavily influenced by how quickly and effectively you respond. An incident response plan (IRP) ensures your team acts consistently instead of improvising under pressure. A well-structured IRP covers:
  1. Preparation — roles, responsibilities, tools, and communication templates
  2. Detection and analysis — how incidents are identified and triaged
  3. Containment — steps to isolate affected systems and prevent spread
  4. Eradication — removing the threat from your environment
  5. Recovery — restoring systems to normal operation
  6. Post-incident review — documenting lessons learned and improving defenses
Test your incident response plan with tabletop exercises at least once a year. An untested plan is unlikely to work under the stress of an actual incident.

DSGVO / GDPR compliance

If you process personal data from EU residents, the General Data Protection Regulation (GDPR) — known in Germany as the DSGVO (Datenschutz-Grundverordnung) — applies to your organization. Non-compliance carries significant financial penalties and reputational risk.
Collect only the personal data you actually need, and use it only for the purposes you declared to the data subject. Avoid accumulating data “just in case.”
You must be able to respond to requests for access, correction, deletion, and data portability. Build processes and tooling to handle these requests within the required 30-day window.
Under GDPR, you must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. Have a notification process ready before you need it.
If you share personal data with third-party vendors or cloud providers, you need a Data Processing Agreement (DPA) in place. Review these agreements regularly.
Maintain a Record of Processing Activities (RoPA) documenting what personal data you process, why, and for how long. This is required under Article 30 GDPR for most organizations.

Vendor risk management

Third-party vendors with access to your systems or data can introduce risk that bypasses your own controls. A vendor risk management program helps you identify and mitigate these exposures.
1

Inventory your vendors

Maintain a register of all vendors with access to your systems, data, or network. Include cloud services, SaaS tools, and contractors.
2

Assess vendor security posture

Request security questionnaires, certifications (ISO 27001, SOC 2), and penetration test reports from vendors handling sensitive data.
3

Apply the principle of least privilege to integrations

Grant vendors only the minimum access needed for their service. Revoke access immediately when a vendor relationship ends.
4

Review vendor agreements

Ensure contracts include security requirements, breach notification obligations, and data processing agreements where required by GDPR.
For device-level controls, see the endpoint security basics guide. For information on securing your cloud infrastructure, see the cloud solutions guide.
Last modified on May 22, 2026