If you’re a small business, the world of cyber security can be very overwhelming and intimidating. There are infinite articles you can read about, a long list of cyber security maturity frameworks and concepts you could try to learn, and an overwhelming feeling that you can’t possible actually defend yourself from the hackers all over the place!
Cyber is a big, complex thing that is hard to do — if you’re looking to better defend your organization and you don’t know where to start, I recommend this approach:
- Read the Center for Internet Security’s (CIS) CIS Controls, as they’re a great list of security controls (fancy way of saying todo items) that are already in priority order — so you start at #1 and just keep working your way down the list. Here are the top 5:
- Maintain a current list of all the IT hardware (equipment) you use
- Maintain a current list of all of the software applications you use
- Invest in, and use frequently, a vulnerability scanning tool (e.g. Tenable.io) to identify security holes and then go fix them
- Limit who within your organization has Administrative Access. Instead limit the access to only those who must have it, and then track who has it and who is using it to do what when.
- Configure IT equipment securely and monitor the configuration to ensure these configurations are being changed — for example, you may use an imaging solution to push out a consistent, pre-configured image of Windows 10 for new employee laptops and then use a device management software (e.g. Microsoft SCCM) to monitor the configuration across your organization
- If you’re ready to keep digging in, read the NIST Cyber Security Framework (CSF), give yourself a red/yellow/green score on each of the 5 core domains and then focus on improving on the areas you think are the best return on your time and money