Here are 10 inexpensive or free things that will move the needle for your cybersecurity program:
1) 𝗟𝗮𝗽𝘁𝗼𝗽𝘀: Install an MDM like Airwatch or JAMF, and install advanced endpoint protection like SentinelOne or CrowdStrike. Require this for all devices.
Dozens of tools in this category that are great. Choose your favorite.
2) 𝗖𝗹𝗼𝘂𝗱 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Use all the add-ons your cloud provider offers related to security (logging, monitoring, vulnerability scanning, web app firewall, key management).
The toolset will vary across major infrastructure providers such AWS, Azure, or GCP, and will require some knowledge base reading.
3) 𝗘𝗺𝗮𝗶𝗹: Enable email security/spam filtering on your Google or MS365 environment.
4) Multi-Factor Authentication (𝗠𝗙𝗔): Enable and require MFA on every tool you use. Try to get as much as you can on single sign-on (SSO) via MS365 or Google.
5) 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴: Check out Curricula and sign all your employees up for free security training so they know phishing when they see it. Even better, buy the solution.
6) 𝗩𝘂𝗹𝗻𝗲𝗿𝗮𝗯𝗶𝗹𝗶𝘁𝘆 𝗦𝗰𝗮𝗻𝘀: Buy Nessus (~$2500) and BurpSuite (~$250) and scan your network and applications regularly. Fix all the issues that come up.
Google “OWASP dynamic and static source code analysis” for a list of tools (including free ones).
7) 𝗔𝗪𝗦 𝗥𝗼𝗼𝘁 𝗔𝗰𝗰𝗼𝘂𝗻𝘁: Secure your AWS root user account and make sure the founders have access to it. If the engineer that launched your AWS account loses it, you will be in a world of pain.
8) 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴: Enable and configure alerts for dependencies, code check out/commits, merging to master, failures, etc. in GitHub, Gitlab, BitBucket, or whatever you are using for source code and change management.
9) 𝗣𝗮𝘀𝘀𝘄𝗼𝗿𝗱𝘀: Use a password manager like LastPass. Make sure to have a continuity strategy for credentials to all key systems.
10) 𝗩𝗲𝗻𝗱𝗼𝗿 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆: Ask your vendors and contractors hard questions about security. Get comfortable they aren’t putting you at risk.