It can be tough knowing where to get started with Cyber Security. From the outside it can look pretty impenetrable, and the more you read the bigger it looks, and the easier it becomes to fall into the trap of learned helplessness.

This is particularly true for small businesses where they already need to be on top of functions like finance, people, sales, marketing and regulations, as well as the product or service they’re experts in. Cyber security is another risk they have to find a way to manage. Over the last year I’ve seen roughly one small company a month be caught out in some way, leading to their email becoming compromised. They hadn’t really figured out what they wanted to do about “Cyber”, or weren’t aware of how risks change when they moving to services like Office 365, and that led to poor outcomes for their business and customers. But getting started is easier than folk think, even for firms that don’t know where to start.

A lot of advice will often say to focus on “being secure” instead of “doing security” but sometimes, when you’re starting from the very beginning, it’s better to just act and get some basic things in place, then figure out the rest as you go. Fortunately, there are plenty of resources out there to show the way and how to close the gaps that commonly used services like Office 365 have in their default settings. 

This is important because the most common kind of attacks these busniesses will see are untargeted and opportunistic, looking to exploit accidentally exposed vulnerabilities and mistakes in any systems they come across. If a company can follow some best practice guides, either by themselves or using it as a benchmark to ask their IT partners to meet, they’ll find that they end up with layers of defence that are proven to work, and with an understanding of their systems that will help them take that next step towards controls more tailored to their own operations.

There are a lot of independent, often government backed entities that give out this kind of advice for free. Here are a few places to help get started:

NCSC – The UK’s National Cyber Security Centre

• Securing Office 365: https://www.ncsc.gov.uk/news/rise-microsoft-office-365-compromise
• Board toolkit for asking the right questions: https://www.ncsc.gov.uk/collection/board-toolkit
• All their guidance: https://www.ncsc.gov.uk/section/advice-guidance/all-topics

CIS – Centre of Internet Security

• Top 20 Critical Controls, common practices that support good security: https://www.cisecurity.org/controls/cis-controls-list/
• Benchmarks and guides for securing lots of commonly used systems: https://www.cisecurity.org/cis-benchmarks/

NIST – US National Institute for Standards and Technology

• Cyber Security Framework, for when it’s time to think about a broader programme : https://www.nist.gov/cyberframework

This list is intended as a possible starting point, for folk that are stuck an unsure what to do next. Other options are out there that may be more relevant to the context they may be in. But if nothing else, if you’re not currently doing anything, the most important part is to just get started.