CIS Controls Implementation Guide for Small-and Medium-Sized Enterprises
I just came across a concise and possibly a useful security guide for small businesses to asses the overall security posture of their business. This advice equally applies to organisations of all sizes; however, given the complexity of large organisations the level of detail here would fall short. Moreover, large organisations require dedicated security staff but they also have the budget for that too. :-)
I suggest this as a possible starting point for small business and startups.
The guide has been created by CIS (Center for Internet Security) who are a reputable name for providing guidance on system hardening. I refer to their notes in my professional job and believe that they provide reliable security information. The good thing is that there are some practical suggestions too.
The guide has 3 phases which lead you from figuring out what assets your organisation has to actually trying to secure them:
- Know your environment
- Protect your assets
- Prepare your organization
As a first attempt at securing your organisation that's a reasonable way to begin.
The guide doesn't have a lot of depth but it is at least a starting point. It is something which is easy to read and could be quick to action. I think this is important as while there is a lot of enthusiasm in the blockchain space I suspect that security is still an after thought in many cases.
Startups will rely upon their founders enforcing security, assuming that they know enough in the first place, but I suspect that security will be left to each individually employee to figure out on their own. As you should expect, this is not great. Interestingly, while large organisations have a huge attack surface there is also a reasonable chance that they have a secure maturity operation (a chance, not a guarantee) while startups have a far smaller attack surface but are far more immature.
I have to give a hat tip to a colleague and to a post on the SANS website that lead to the discover of this guide: forum post
Disclaimer: this is not the opinion of my employer.