As with any business item, you need a plan and an idea of what your budget is. Find out what you can spend on your business security and work from there. In all case your budget is going to drive what you get. With a relatively smaller budget you may end up looking for a managed security service provider (MSSP). These groups have their own security toolset that they will roll out to you and charge you monthly by the endpoint. The downside of many of these is that there is no real active security. They do provide malware prevention, but it will only be as good as the tools they use. If there are items outside of basic scan and patch vulnerability management, you are not likely to get much help without paying more. Still, you are better off with a service of this type than you are with built-in malware protection and trying to manage vulnerabilities all on our own.
With a slightly larger budget you can look into a cyber security as service organization. These are groups that claim to provide security services in addition to active monitoring and (in some cases) some level of remediation built-in to their offerings. Most of these are also ala cart so you can pick and choose the services you want, Risk/Vulnerability Management, Anti-Malware, Managed Firewalls, etc. You get the items you need and can afford based on your employee count and budget.
A third option is one that sounds a bit less logical. Even though you are a small business, you can purchase MS365 Enterprise licenses from Microsoft. It sounds odd, but for around $60 per month per employee you can get a large amount of protection. You can get Multi-Factor Authentication, Advanced Threat Protection, Data Loss Prevention, Account control and integrity, user risk management, login tracking etc. It also comes with email services, office application support and a host of other items. It can reduce your costs significantly once you factor in these other items. Now MS365 at that level is not easy to get up and running so you are going to want to hire someone to at lest get things going.
So what do you do if you don’t even know what you need? Well, that is where you can either scour the internet for hours reading articles (like this one) and build out your list of items, or you can spend some time and possibly money on the front end to understand your exposure, compliance requirements (if any) and what solutions will give you the best outcomes. In most cases having a chat with an information security consultant can give you a wealth of information around best practices that will help drive your decisions and put your business in a better spot.
Now that you have read through that, let’s talk a bit about areas that most small businesses will need to address. First up is the ever-looming specter of Ransomware. If you are a one or two person shop having all of your files encrypted can mean the end of your business. Far too often even paying the ransom does not mean you get your files back. It is also likely that the original infection involved the exfiltration of all your data to a place the attacker can get it. Even if you get access to your data back you still lost all of it and, to make matters even worse, most new ransomware attack include persistence mechanisms to grant the attack continued access into your environment (or at least the originally infected system). Ransomware protection comes from a good modern anti-malware solution. This is something that can look for and stop the wide array of methods ransomware uses to gain access to your environment. Free or legacy anti-malware offerings can offer some protection, but not enough to make them a go-to choice. Proper anti-malware is a vital component for PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act), and many other compliance standards.
Vulnerability scanning, and remediation is the next item on the list for must-haves. Even outside of good malware protection, there are bugs and security holes in every single piece of software in existence. There are there and attackers are looking for them just as fast and as hard as security researchers are. It might be surprising to note that by the time you get a security fix for a piece of software that vulnerability has probably been known about by attackers for an average of 40 days. This is why early detection and remediation of risks and vulnerabilities is so important (patch early and often). This one is also part of most of your compliance types.
Account Integrity and access control might sound like something that a small business would not really need, but when you look at the modern business profile you can see how vulnerable people are when they are not using proper account control (complex passwords, multi-factor authentication, etc.) can have a significant impact on the security of your business and business data. Getting this set up for cloud services (square, credit cards, bank accounts etc.) is probably one of the simpler items to deal with. Things get more complicated when it comes to local desktops, laptops, and mobile phones. It also tends to be one item most people ignore because it adds time to what they are trying to do. Another thing you can do is set up notifications if there is a login attempt from a place you normally do not log in from. If the login attempt is from you, you can ignore it, if not you can contact the service make sure they are aware of the incident. It all adds up and is also part of most compliance standards.
Although there are more items on the list of security tools, the items above are the three basic ones and should be part or every business plan and budget. Yes, they can be a pain to research, buy, setup, and maintain. However, you can either take the time and pay the money now, or you will spend a lot more time and money later. Better to take care of things on the front end… really it is.