SMB Security Maturity Levels

Level 1: Free / easy / 1 hour fixes
-Block China, Russia, Ukraine on your firewall and email
-Turn on email banner for external emails
-make sure PCs are running a version of Windows that gets updates; update to Win10 can still be updated for free
-Verify Windows Defender is on and updated automatically
-Verify Windows patches itself automatically. Set Active hours to not be annoyed by reboots
-Invest some time in fishing and cyber-security training. Lots of free info on YouTube.com
-make sure your router/firewall and Wifi have long passwords that are NOT the default from the factory
-Change your router/firewall DNS to 9.9.9.9 + 208.67.222.123
-while you’re in the router make sure uPNP (Universal Plug and Play) is OFF
-type your email address into haveibeenpwnd.com; if it says breached, change your password
-install a password manager; BitWarden is free, use it to generate long, complex passwords
-create some HoneyDocs and sprinkle them around your shared files
-standardize on a non-email company wide communication method; Microsoft Teams, Slack, NextCloud etc.
-make sure you have backups and test them
-ensure users are using a secure browser and not IE
-sign up for PayPal; don’t use credit cards online unless its thru PayPal

Level 2: Cheap / 1 day fixes
-enable GeoFiltering for your email logon
-turn on 2FA for email and anything money related (email is used to reset passwords)
-turn off NetBios, LanMan, WPAD and LLMNR on PCs. Easier if you have an AD Domain
-replace SSL based VPN with IPSec VPN / RdWeb / NextCloud
-disable macros in Office. Easier if you have an AD Domain
-disable PowerShell on workstations. Easier if you have an AD Domain
-setup an SPF record with your ISP/DNS provider
-setup OFFLINE backups; think external harddrives + some IoT power plugs
-make a guest wifi network and put all cell phones and IoT devices on it

Level 3: Projects that take planning but provide higher levels of security
-Offsite laptops; install a remote management security tool. N-Central, SentinelOne etc
-Randomize Local administrator account passwords; Microsoft LAPS is free but takes time to implement
-collect and analyze log files
-setup DMARC & DKIM with your ISP/DNS provider

sduncan