Create a DR/BCP Plan and test it annually, including a test of your backups/restore
Create a scheduled access and privileged audit of all your critical systems every 3 or 6 months, so making sure all leavers are disabled and there are no extra admins etc
Have a solid asset database for physical assets and who owns them, serial number etc Asset list for servers including how they are backed up, physical/vm, what they are used for, services they run, are they critical etc
Digital asset list for all of the software programs that your users use, including who has admin, the type of data that they hold, if it is critical to the business etc
Make sure your user base takes cyber awareness training
Create a daily checklist of things to be checked like admin logs, alerts, emerging threats, backups, and create an escalation process. Audit to make sure it is getting done regularly.
Create a change management system
Setup a base policy set like acceptable use, BYOD, Password policy, Information Technology policy (goes over guidelines for your IT team), remote work, physical security, clear desk policy, employee handbook etc
Document physical security at your location/s for deliveries, guests, cameras, card pass logging etc
Document and check your onboarding and offboarding processes Work with HR to make sure all employees get a contract, are background checked, get trained and get a handbook etc
Get a copy of all client contracts and make sure you are compliant
Create a checklist and/or questionnaire for security reviews of vendors and new tech
Create an objectives and measures for your IT organization with 8 or so KPIs like vulnerabilities remediated in X amount of time, users with x% of phishing messages, Help Desk responding in X amount of time etc. Then measure it regularly and have a meeting with management to review every 6 months
Get a solid vulnerability remediation and management plan in place
MFA EVERYWHERE
Local Admin NOWHERE
Disk encryption EVERYWHERE
Phishing tests for all employees
Work out how to protect corporate email on BYOD phones
Talk to senior management about risk and document where they find the biggest risks to the business. Take steps to mitigate and track progress regularly
Create a “continual improvement log” that tracks security items you run across or think of and track them to remediation
Run incident response exercises with your team, so pretending something happened and see how they react etc.
Inventory all your critical business assets in a spreadsheet (i.e., what makes the money come in)
Identify what data you rely on to do business, tag them to specific systems in this spreadsheet
Work to get backups of the critical data and systems, ideally somewhere that isn’t directly networked (read: accessible to ransomware or bad actors)
Implement MFA on all remote access (email, VPN, server administration, whatever)
Make sure everyone is using passwords (kinda default with the “MFA” suggestion)
Get endpoint protection in place; anything is better than nothing, but any of the best ones are a little pricy but definitely worth it because, as a small business, your users will destroy you.
Try and get a vulnerability scan (free ones exist) and use your existing free-hand knowledge to scan ports and services to identify potential openings/risks.
Sources:
- https://www.reddit.com/r/sysadmin/comments/13bl1iu/comment/jjcutf3/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
- https://www.reddit.com/r/cybersecurity/comments/138iy0c/comment/jiz14fj/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button
