We recommend that SMBs commission an external security provider to conduct a security audit. There is a data security truism that must not be ignored: You cannot protect what you do not know is at risk. This exercise provides a holistic view of the data you have, its value, locations and its level of risk of being compromised by bad actors.
Security teams should adopt a security framework. IT security is a combination of people, processes, and technology. For SMBs, the Center for Internet Security (CIS) provides a straightforward approach to defining what you need to be doing on a continuous basis to maintain a strong defense as an organization.
Determine how much your company can spend on IT security. With your audit in hand, investigated processes and an accurate understanding of what is going to be involved, it is time to look at what security programs your company can afford to implement — and understand what you cannot afford to implement yet. Here you determine your risk priorities, what compromises you might be faced with and how you minimize those risks. You determine if you will handle security in-house, outsource or have a mix of both.
Execute your ongoing IT security plan. First, however, ensure you have written policies, procedures and escalations in place for the identified risks. This plan must have the means to be able to enforce those policies and procedures, as well as the ability to monitor, review, revise and maintain them.
Rinse and repeat. Conduct regular and continuous assessments of risk and reinforcement of your now established security posture, including vulnerability assessments, patch management, user training, and regularly testing attack responses. Be conscious that changes and introductions of new elements all demand a security review to ensure your security posture is maintained and not compromised.