Information security (infosec) is no longer a nice-to-have. It is a matter of corporate survival. Even the smallest company can be weakened by the simple loss of a customer list, ruined by the fallout from the loss of protected customer information.
There's a lot more to infosec than merely hunkering down behind a firewall. As I've discussed before, the "eggshell computing" model of relying on edge defences to provide a difficult-to-penetrate shell around your completely unprotected interior network just doesn't cut it in this day and age.
Things you don't want to hear
If you are reading this, then you suck at information security. Accept it. Get over your own ego. Your belief in your own capabilities is the most dangerous and exploitable infosec weakness your business possesses.
There are a bunch of best practice assessment tools out there. Use them. I'm not going to lie to you and say that their answers are fit for every – or even most – networks. What they are is a baseline. They can catch the obvious stuff and if you document changes in your security stance from version X of Y tool then whomever takes over for you after you get mauled by a pack of feral space tigers has at least a fighting chance of understanding what's what and why.
There are more of "them" than there are of "us." While there certainly are folks out there learning "systems interference" for fun, network penetration is an industry. There are lots of not-very-well-hidden places on the internet where you can go and pay a few thousand dollars to have someone pwn your competitors for fun and profit. Computer crime is probably the only vertical in IT that's actually small-business friendly.
Insider threats are a very real problem, and most of these threats come not from malicious superhackers or power users, but from people looking to better their situation using the data they have rights to access. Petty greed is your most common foe, not some mythical superhacker. Paying people well and fostering a sense of employee engagement will prevent more breaches than all but the most basic of electronic defences.
You probably already know of several dozen things you should be doing to make your network and its workloads more secure, you're just too lazy to do so. These can range from automating configuration and deployment of workloads to pushing known good configs to switches and routers to firewalling internal workloads or even just enabling backups to offsite locations.
Cryptolocker is a massive threat that you are almost certainly not prepared for. The only defence against Cryptolocker is to have a current and tested backup regime that stores backups where your network cannot access them. Whatever is backing up your network has to have access to your network to do so, but you cannot have write privileges from the network side.
Designing this is a pain and goes against a lot of the "eggshell computing" paranoia we were taught about hardening our networks. Time to adapt. If your network can write to the backup location, then Cryptolocker will find and encrypt those backups too.
Infosec is everyone's responsibility. Accepting and implementing this will require a culture change in your organization and a whole lot of humility. It is never "someone else's problem," or even "IT's problem." A secure organisation is impossible, but those that come the closest make more long-term gains with education, morale-boosting and bridge-building between departments than they accomplish with vicious restrictions and fiats.
In IT, nothing is safe. Windows, Linux, OS X – they can all be infected, compromised, fooled, and used as part of social engineering attacks against the user. The applications running on top of these operating systems are far more vulnerable than the OSes themselves and the meatsack pushing the buttons is the most vulnerable of all. Deal with it. You need to identify and stay on top of vulnerabilities regardless of the sacred cow in play.
You are not too small to be vulnerable
Cryptolocker can hit anyone, individual or business, large or small. It can strike organizations of any age and leaves devastation in its wake. Ask your infosec specialist about proper backups now.
The more potentially valuable the research you are doing, the bigger the target is painted on your back. Industrial espionage is very, very real. It is practiced not only by other corporations, but by state actors as well. Biotech, nanotech, envirotech and machine learning/AI are all areas that are regularly exploited, even though few people working in those industries suspect it. If the value of your company rests in intellectual property or trade secrets then you're a target, even if you're a one-man band.
Remember that bit about insider threats being critical? It's true. A lot of small businesses could be seriously harmed or even driven out of business if a salesdroid takes an offer with a competitor and walks out the door with a 200kiB Excel spreadsheet containing a customer list, amounts spent and discounts offered. If the competitor can undercut your top few accounts, they can drive you out of business in short order and pick up a healthy percentage of the remaining accounts when you fold.
The bigger you are, the more you need to be prepared to counter insider threats. Classic tricks like giving slightly altered information to different parties that doesn't affect their ability to work towards the final goal can help ferret out leaks. Compartmentalization of critical information can also be important, if it doesn't too badly affect morale. In essence, the basic tools of spycraft need to be employed, because every single one of your corporate secrets can walk out the door on a nearly impossible-to-find MicroSD card.
You can't do it alone
Ask for help. Ask a child. Or a pointy-haired boss. Explain how you are securing individual workloads to others. Explain how you are securing the whole network. If you can't explain it to a child, then you don't actually understand it. If the child can poke holes in your plan, it's time to go back to the drawing board.
You almost certainly remember a time before people walked around with the collective knowledge of the entire human race in their pockets. You probably even have a subtle facial tic that occurs every time someone uses the work "hacking" to mean "cracking" or think that using distributed denial of service (DDoS) attacks shouldn't be considered a form of "hacking." This is a problem.
Remembering the beforetime makes you old. You don't swim in the stream. You aren't one with the machines in the way that today's kids are and you never will be. That makes them a threat that you absolutely cannot counter on your own. You will never be able to think about infosec the way that they do. That makes them valuable allies and dangerous opponents.
Above all, get outside help. Even if you are among the few organizations in the world with dedicated infosec hires, outside experts offer different viewpoints that are very important. Not only do they know the ropes, but if they are part of an organization that works with infosec issues across multiple clients, they are likely to see things that you haven't, before those things decide it's time to knock on your defences.
Additional ideas in the comments, please. Stay safe out there. ®