Do you know all the information systems in your business? Do you know what software systems are in use across your company? Do you all the data in your information systems and how sensitive the information is? All too often, especially with smaller businesses, the answer to these questions is no. The first step in protecting yourself is understanding what your protecting, To start with you
will need an inventory of all your systems. This includes hardware, software, data, etc. Each item on the list needs to be evaluated. Ask yourself:
What is critical ( prioritize highest to lowest) ?
What system, if unavailable, would prevent the business from doing business ?
What are the system inter-dependencies ( these may not be easily apparent) ?
What regulations apply to this type of data? PCI? HIPPA? GDPR?
Cybersecurity is a balance between what the information / system is worth vs the cost to protect it and end user functionality. Once you have an idea about the criticality you also need to think about the 3 cyber security principals.
What's the impact to my business if information is disclosed?
What's the impact to my business if information in this system is altered?
What's the impact to my business if information in this system or the system itself can't be accessed?
Thinking about your systems in the manner will help you to understand what you have to protect. The data and information systems that will stop your organizations mission from being successful or put you out of business should something happen are the things that need the most protective layers around them. The things that won't impact your mission or cause legal headaches should happen to them should still be protected, but at a much lower level. Focus your limited resources on what is most valuable to your organization.