Too many small and medium-sized businesses (SMBs) are under the belief that purchasing “This One Product” or “This One Managed Service” will provide all the security their network requires. If this were true, large corporations with huge IT budgets would never have data breaches!

Before you start buying expensive new technology to protect your office network, take some time to examine your internal infosec processes. Make sure you are covering the basics.

AWS Builder Community Hub


It is quite common for SMBs to lack organization with respect to their information systems, particularly if they have experienced steady and/or rapid growth over some period of time. In the early days, organization seems superfluous. At some point, it becomes clear that organization is needed, but the job isn’t assigned to anyone. Often, there simply isn’t anyone with the time, energy or expertise to take on the job. Occasionally, a willing volunteer takes on the task, but when that person leaves, the baton is not passed. All too often, the impact of organizational problems becomes clear only in a moment of crisis.

Typically, a lack of organization means there is no infosec program, no one person or group in charge of information systems, no documentation on system configurations and accounts, etc. The organization isn’t following basic security practices because policies aren’t clear and actions aren’t repeatable.

A lack of organization generally affects another of the basics that is often ignored: documentation.


I always tell my clients: “You can’t secure it if you don’t know it’s there.”  This is why an inventory of hardware and an inventory of software are the first two of the Center for Internet Security’s 20 Controls. Yet few SMBs take even these first two steps to securing their information systems.

Without good documentation, it is difficult (Read more...)