We can think of Cybersecurity as having 3 basic zones; Red, Yellow, Green.
Red Zone is the internet. Make sure everything here is locked down tight, No compromises. Zone includes your firewall, Website, Cloud based services like Office365, and arguibly Wifi.
Yellow Zone is anywhere that a user opens email. Phishing is rampant and opening the wrong email gives bad guys a foothold into your Yellow Zone. If a firewall port-forwards to a server it is Yellow Zone.
Green Zone is Servers and Appliances. Bad Guys need to go through the Yellow Zone to get here.
This gives us a priority for where to start
Start in the Red Zone,
-use a service to test what ports are open on your firewall, GeoFilter them
-make sure any OS and Software that is port-forwarded is updated and has no critical CVE’s
-add GeoFiltering and 2FA to your Cloud services like Office365
-make sure your Firewall and VPN have the latest patches, consider turning on Auto-updates
-replace SSL VPN with anything else
-Scan your website for vulnerabilities
-If you use WordPress, update plug-ins, replace unsupported plugins with supported ones
-If your website takes orders and handles cash, hire a consultant to verify it is secure!
-Filter email for bad SPF, executeable files, strip macros from office documents, discard password protected zip files.
If you have spare cycles, start securing your Yellow Zone
-set your Firewall to block browsing to Russia, China, Ukraine. and known bad IP addresses.
-Get approval and Phish your users. Hand out prizes. Rick-Roll liberally.
-make backups, test them, now if you screw something up you can restore it.
-if you have a M$ domain, run PingCastle, fix the easy stuff yourself, contract the hard stuff