The Big 5 Security Safeguards

These 5 safeguards are identified in the cyber insurance industry as “The Big 5”. The risk of companies being hacked and the cost of remediation directly correlates to the state and visibility of these 5 safeguards.

A Remediation-Tested Framework for Preventing Ransomware and Financial Fraud.

Key Points

  • A single unenforced MFA setting led to total data loss for a 20-user firm. No backup. No recovery path. Bankruptcy within a year.

  • This is one of around 20 breach/ransomware remediation jobs we’ve worked over the past 5 years.

  • In every breach we’ve remediated, at least one of the Big 5 Security Safeguards was missing, misconfigured, or unmanaged (missing a thoughtful human). When properly implemented and actively monitored, we have not seen this outcome.

A 20 person company in Charlottesville VA, gone in a weekend

They weren’t reckless. They weren’t careless.
They were busy.

Twenty employees. Normal week. Then one Monday morning they couldn’t log in.

Google had deleted their entire tenant.

Every email. Every file. Every calendar.
Gone.

Why?

One user did not have MFA enforced. Their account was compromised. The attacker used it to upload illegal material from overseas. Google terminated the entire company account under a usage violation. No warning. No appeal.

This is not a Google issue. The exact same thing happens with other cloud providers, like Microsoft 365.

It gets worse.

They had declined backup about six months earlier because it felt unnecessary.
They had no cyber insurance.
There was no restore button.
Within a year, they were bankrupt.

What would have stopped this?

  • One or more of The Big 5, outlined below.

One safeguard missing is enough. Two or three missing makes recovery unlikely.
Most small professional firms assume they are too small to matter.

That is not how attackers think.

They look for:

  • No MFA

  • No monitored security

  • No immutable backup

  • No phishing protections

  • No ACH protection

That is why we teach The Big 5.
Because every ransomware remediation job we’ve worked so far, including this one, was missing at least one of them.

And none of our proactive clients, who have them properly implemented and monitored, have experienced this outcome.

A consistent pattern

Over the past several years, we have led or assisted in remediation efforts for businesses that were ransomed, breached, or financially compromised.

Different industries.
Different sizes.
Different IT providers.

But the pattern is consistent.

In every remediation engagement, one or more of the same five safeguards were:

  • Missing

  • Improperly configured

  • Not enforced

  • Not monitored

  • Not tested

In some cases, all five existed on paper. They were simply not implemented correctly.

Security tools do not prevent breaches.
Correct implementation and active oversight do.

Today, many cyber insurance carriers strongly encourage or require versions of these safeguards because they reduce measurable risk. When implemented correctly, they not only lower breach probability but can also reduce insurance premiums over time.

The cyber insurance industry refers to them simply as:

The Big 5 Security Safeguards

The Big 5 Security Safeguards

1. Enforced Multi-Factor Authentication (MFA)

What It Is

Multi-Factor Authentication requires more than just a password to access systems such as email, cloud platforms, remote access tools, and financial systems.

It must be:

  • Enforced

  • Universal where it matters

  • Not bypassable via legacy protocols

What Failure Looks Like

We have seen firms with “MFA enabled” who were still breached.

Why?

Because:

  • MFA was optional for some users

  • Legacy email protocols were still allowed

  • Admin accounts were exempt

  • Service accounts were forgotten

  • Users were tricked into handing over MFA codes to threat actors

The firm believed they were protected. They were not.

What Proper Implementation Looks Like

  • MFA enforced for all users without exception

  • Legacy authentication disabled

  • Administrative accounts separately secured

  • Financial system access protected

  • Periodic verification and/or testing

MFA that can be turned off or bypassed is not useful. It must be always on and the only way to get in.

2. Immutable Backups

What It Is

Backups that cannot be altered, deleted, or encrypted by ransomware.

What Failure Looks Like

In multiple ransomware cases, backups technically existed.

But:

  • They were connected to the domain or business network so were accessible by the attackers

  • They were not immutable

  • They were not monitored and no one knew they were disabled

In most cases, attackers try to find and delete or encrypt the backup. In some cases, attackers turn off the backup and see if anyone notices. If not, they wait for the backups to be so old they are useless (6 months to 3 years) before attacking.

When they attack, they steal and/or encrypt all current business data and will not release the data until a ransom has been paid. For small businesses, this ransom typically ranges from $200k to millions.

Backup without immutability and monitoring is not a safety net.

What Proper Implementation Looks Like

  • Immutable storage architecture

  • Off-site or segmented replication

  • Daily monitoring

  • Clear recovery time objectives

When implemented correctly, ransomware becomes a business disruption, not a business-ending event.

3. Enhanced Phishing Protection + Simulated User Conditioning

What It Is

Advanced email filtering combined with continuous simulated phishing campaigns and training.

Technology alone does not stop phishing.

User behavior matters.

What Failure Looks Like

Business Email Compromise remains one of the most successful attack methods for threat actors.

Around 90% of all business hacks start with an email attack on a user.

We have seen:

  • Spoofed vendor payment changes

  • Executive impersonation

  • Compromised mailboxes used for lateral attacks

  • Fraudulent ACH and wire requests

In most cases:

  • The email passed basic filtering

  • The user had never been conditioned through simulation

  • There was no reporting culture for suspicious messages

One wrong click leads to six or seven figure losses.

What Proper Implementation Looks Like

  • Advanced filtering beyond default email protections

  • Domain impersonation defense

  • Ongoing phishing simulations

  • Leadership participation in training

  • Reporting to Leadership on users that struggle (can’t stop clicking emails) so that they can get more robust training. We’ve found that once a user really understands the risk, they stop immediately clicking and take a breath first.

Phishing is behavioral risk. It must be treated that way.

Punishment doesn’t help. In fact, it often makes the behavior worse.

Education and training mean users can remain calm when they get a stressful email. Decreasing a user’s stress response to an email that is specifically designed to throw them off guard, greatly reduces the likelihood of your business getting hacked.

4. Endpoint Detection & Response (EDR), Actively Monitored by Humans

What It Is

Advanced detection software installed on endpoints and servers that monitors suspicious behavior. It’s almost like the opposite of antivirus software since it doesn’t rely on a list of definitions. It relies on system behavioral analysis and showing anomalies to real humans to address.

But here is the critical point:
EDR must be actively monitored by trained humans 24/7/365.

What Failure Looks Like

In one large remediation effort our team helped with, the organization had EDR installed. It had been alerting to malicious activity on a server for months.

No one saw it and so no one acted.

The software worked. The monitoring failed.
By the time action was taken, the attacker had persistence and domain-wide access.

They deleted or encrypted all the data that the company owned and demanded $3 million to get it back.

That is why passive EDR is insufficient.

What Proper Implementation Looks Like

  • 24/7 Security Operations Center (S.O.C.) monitoring

  • Internal team review of alerts

  • Escalation procedures

  • Continuous tuning

Detection without response is useless.
Real monitoring means a thoughtful team is involved and watching.

5. Financial Transaction Controls (Including Positive Pay)

What It Is

Controls that verify ACH transfers, check transactions, and wire requests before funds leave the organization.
Often referred to as Positive Pay.

This functions as financial MFA.

What Failure Looks Like

After email compromise, attackers frequently:

  • Modify vendor payment instructions

  • Initiate fraudulent ACH transfers

  • Redirect checks

  • Intercept wire communications

Even firms with strong IT controls have suffered six-figure losses due to absent transaction verification controls.

Cybersecurity does not end at your office walls.
It includes how money moves.

What Proper Implementation Looks Like

  • Positive Pay enabled with banking partners

  • Dual approval workflows

  • Vendor payment verification

  • Clear financial change control policies

  • Segregation of duties

Technical compromise becomes catastrophic when financial controls are weak.

Why Firms Think They’re Protected (But aren’t)

The organizations we’ve helped after a breach did not believe they were exposed.

They believed they were covered.

They had security software installed.
They had an IT provider.
They had passwords.
They used Microsoft 365 or Google Workspace
They had “MFA turned on.”

On paper, it looked reasonable.

In reality, protection failed in predictable ways.

The core problem

Most breaches do not occur because a firm ignored security.

They occur because:

  • A safeguard was partially implemented.

  • A setting was never enforced.

  • A system was installed but not monitored.

  • A backup was configured but never tested.

  • Users were trained, but not reminded.

  • Email was filtered, but not well.

  • A financial control was assumed but not verified.

Belief in protection is not the same as verification of protection.

That distinction is what separates recovery from catastrophe.

FAQs for the C-Suite

  • Yes. Most of the organizations we have helped remediate were not large enterprises.

    Professional firms with less than 100 employees are specifically attractive targets because they hold sensitive data, control financial transactions, and typically underspend on cyber & IT v/s larger firms.

  • No platform alone guarantees security.

    Configuration, enforcement, monitoring, user access, and user behavior determine risk.

  • No.

    Insurance may help offset financial loss, but carriers increasingly evaluate implementation quality before underwriting and renewal.

    Strong safeguards reduce risk and often reduce premiums, but much of the cost of a hack is downtime, and loss of confidence from your clients, vendors and employees. These can be more difficult to measure.

    ==================

    The FBI Internet Crime Report (IC3 Report 2024) states that Financial Services and Healthcare are in the top 5 most targeted industries.

    2024_IC3Report.pdf

  • There is often an implementation cost and a management cost.

    For a 20–40 user professional firm, comprehensive implementation of these five safeguards typically ranges from:

    • Low five figures for smaller firms, to

    • Mid five figures for more complex environments.

    Sometimes, implementation of these safeguards is included in the monthly management fees of the provider.

    For instance, at Seventh Wall, we include implement fees for most, if not all, of these safeguards as in our Fully Managed Plans. See our monthly prices here:

    Pricing

    If implementation isn’t included in your provider’s monthly plan, then the exact cost depends on architecture, compliance needs, and monitoring scope.

    For the same 20-40 user professional firm, full management for The Big 5 typically range from:

    • $200/user/month for smaller firms, to

    • $100/user/month for larger firms

  • Believing they are protected because software is installed.

    Security is not installation.

    Security is a relationship between a thoughtful human and management tools. It is enforcement, monitoring, testing, and discipline.

  • Yes, but so far, with no harmful effects.

    The successful attacks we’ve seen are when the user is tricked into giving up MFA credentials to the attacker and the attacker gets access to the company email.

    In every case we’ve experienced our email monitoring team software sees the unusual login, alerts our 24/365 monitoring team, and they block the attacker from access in a less than 8 minutes.

Final Thought

The organizations we help after a breach are not reckless.
They believed they were protected.

But belief is not verification.

The Big 5 Security Safeguards are not theoretical best practices.
They are the consistent pattern we, and the insurance industry as a whole, have observed in real-world remediation work.

When properly implemented and actively managed by a diligent team, they dramatically reduce the probability and severity of ransomware, email compromise, and financial fraud.

If you are unsure whether these safeguards are fully and properly implemented in your firm, we can walk you through a structured review.

Would You Like An Assessment?

We’d be happy to help you.

connect