Most companies don't immediately need a costly SIEM-class system or an elaborate SOC. They need to get the basics in order — and it's the basics that give the greatest return on every złoty invested. Below is a practical plan you can start today.

1. Start with an inventory

You can't protect what you don't know about. Build an asset register: devices, servers, applications, accounts, external vendors and the data you process. This is the foundation of every further decision.

  • Hardware and systems (who owns them, where they are, how critical they are).
  • Applications and cloud services — including “shadow IT” used without IT's knowledge.
  • Privileged accounts (administrators) and third-party access.

2. Assess risk, not everything at once

With a list of assets in hand, assign each one its real risk: what happens if this system stops working or the data leaks? Focus first on assets critical to running the business and on sensitive data. A risk analysis doesn't have to be a PhD thesis — a consistent, repeatable method is enough.

3. Deploy basic safeguards

These few actions eliminate most typical attack vectors:

  • Multi-factor authentication (MFA) on e-mail, VPN and administrative accounts.
  • Backups in a 3-2-1 model and — crucially — tested data restoration.
  • Updates to systems and applications on a schedule, not “someday”.
  • Network segmentation, so an incident in one place doesn't spill across the whole company.

4. Write down your security policies

Policies aren't bureaucracy — they're the shared rules of the game. The minimum is: a password and MFA policy, a backup policy, device-usage rules and a simple incident-reporting procedure. A document nobody reads is useless — write it short and to the point.

5. Take care of people

The best technology won't help if an employee clicks a link in a fake invoice. Short, recurring training and phishing simulations build real team resilience.

Checklist for the first 90 days

  • Days 1-30: inventory of assets and accounts, enable MFA.
  • Days 31-60: backups + restoration test, an update schedule.
  • Days 61-90: security policies, an incident procedure, the team's first training.

After these three months you have a solid foundation — and you're far better prepared for a compliance audit or NIS2/KSC requirements.