Here’s a good piece that Entrepreneur Magazine put together for SMBs to ensure they have a secure information systems environment. I don’t disagree with any of the recommendations. What I do find interesting is that there’s no mention of “determine where you’re weak”.
Be it in the beginning before you put all of the recommended controls in place (and potentially saving yourself a lot of time/money if it’s determined you don’t need certain types of controls) or after everything is established – you absolutely have to assess where things stand.
You know my feelings on this: You cannot secure what you don’t acknowledge. Building out a supposed secure infrastructure is only one piece of the puzzle. Basic controls are just the beginning.
That’s the fundamental flaw with information security today – especially within SMBs…Owners and managers of SMBs read these recommendations, put their strong firewalls and passwords in place, and leave it at that. Months or years go by and then something bad happens: an employee breach, external hack, malware attack , you name it. All along these very people had no real sense of how secure or unsecure their systems really were. Don’t follow their lead.