network – You are in charge of the security of a very small company. What steps would you follow to achieve a good security level?

first of all, I would like to admit that I belong to the offensive side of security (Penetration Testing) and this is not my common area of expertise.

Last week I was thinking about how the market usually provides services focused on medium/big companies. On one hand, it makes sense, bigger company = more money but, on the other, it annoys me how unfair is that the smallest and modest companies are not an area of interest for the main business.

So, if you had to create a budget model for every small company, what would be the least principles to follow if we take into account the following premises:

  • Company with UP to 10 people, this means that in total there will be 10 workstations
  • This company did not buy yet any hardware as FW or SW
  • This is a simple company that
  • There is no plan on scalability/ company growing, therefore thinking of a centralised solution as an AD would probably be meaningless
  • A wifi AP would be nice, but not mandatory
  • There will be at most 1 or 2 servers exposing DB services (or something similar)
  • The people in the company should be able to access somehow the DB service when they work at home (OpenVPN)

My penetration testing mindset came with these recommendations:

  • Create an inventory of every element that has connection capabilities and which is intended to be used
  • Assess the password security policy and adapt it accordingly
  • Create a golden image or similar that will be installed on every WS computer, this image should bring effective hardening adapted to the business.
  • Assess the security of the servers installed, this includes the services exposed, avoid cleartext protocols,outdated/deprecated versions…
  • Create a VPN server that implements MFA
  • Ensure that the HDDs are encrypted
  • Educate the users

I know that is not perfect and these are the topics where I might find some confusion:

  • A security policy/ threat model has to be created. But I have no clue about how to do that. What is a good starting point?
  • Does the use of a SOC makes any sense in this context?
  • Would it be needed to hire a part-time sysadmin?
  • In terms of network topology, my idea was something like this:
    enter image description here

I know that it might be bad but honestly, I did not find any “golden” rule about how to create effective network diagrams. I simply adapted what I saw on the internet + experience

Finally, I would like to add that even though this looks like an enormous and wide question, it is actually not that wide. Lots of small companies have to deal with this problem which is not easy to solve. From my perspective (that has nothing to do with seceng) I have seen a lot of obscurity on this topic particularly for people with 0 security knowledge as if the industry was specifically interested in not providing clear answers.

Thanks to everyone.