The most important thing is to start. Where you start matters less, but starting matters. If you delay you are just increasing the risk of something bad happening. Here’s some stages to consider in your journey.
Pick someone who “owns” security for your organization.
Eventually, in a well run environment, security is part of everyone’s job. But when you’re first getting started and you’re a smaller business, there are always other pressing matters distracting you from security. Assigning an owner – someone who is responsible for thinking about it, considering options, recommending technologies or policies – is key. Typically this should be someone who has a background in either technology or risk – a dev lead, financial officer – is a good bet.
Pick a starting framework
If you’re under pressure from clients or regulators, a “big” standard like ISO27001 or SOC2 or HIPAA might be a good fit. Standards like these form part of industry or international certifications. If you’re not under pressure then starting with something like the CIS Top 20 benchmark or a similar smaller standard is a good place to start. Evaluate your current security program against that standard – even just taking 20 minutes to ask yourself if you have an answer to the table of contents is a good place to understand where you’re strong and where gaps exist.
Identify key assets and data
Do a “tabletop” walkthrough of your business to understand what are the key assets and data that are critical to the ongoing function of your business, or attractive to an attacker. Example questions to ask yourself:
Which systems/software, if they were to fail, would dramatically impact business operations?
Which data if compromised or lost would cause significant customer or business impact – do you hold personally identifiable or valuable data like credit cards, address info, health info, trade secrets, pricing info etc.?
What systems or data, if they became unavailable, would result in significant business interruption?
Lockdown key assets and data
Take steps to secure your critical assets and data. While at it, consider using similar techniques on less critical systems since often it is easy to expand the scope of a particular project. For example:
1. Implement multi-factor (authenticator, not-SMS) protection on email accounts (Google GSuite, Microsoft O365). Since your email accounts act as recovery options for other business accounts, these are often the most critical to protect in your environment. Do the same where possible for key admin accounts across your organization. Study after study have shown that multi-factor authentication is one of the best things you can do to prevent phishing and other account compromises.
2. Use role-based access-controls on sensitive systems or data that don’t require organization-wide permissions. For example, making sure only critical staff can access not only internal information like payroll, but only those with a need are able to access customer data. Have procedures to remove access for people who leave or change roles.
3. Implement basic security controls – gateway firewalls for office environments, anti-malware, encryption at rest. Often organizations suffer breaches and incidents and have absolutely no idea they’ve been compromised because they have no systems to detect and prevent low-effort attacks.
4. Build out a larger asset inventory, and ensure that every asset has an appropriate owner who is responsible for security policies, patching, etc.
5. Start a basic user awareness program – targeting key personnel (financial controllers, executives, IT staff, etc). Consider teaching staff how to be more secure at home, and they’ll bring that awareness to work.
Keep learning, establish a rhythm
Establish a program to monitor your assets and vulnerabilities. Send key staff members to industry security events and webinars. Run internal lunch and learns on a regularly basis (monthly is a great cadence) for team members on a variety of topics. If you send staff to events, having them come back and present on what they learn is a great way to reinforce learning and disseminate knowledge and build a security culture.
Rome wasn’t built in a day – and your security program won’t be as well. Always remember that security is a journey, not a destination.