Way back in 2009, NIST released a 20 page document that is a great set of fundamental
recommendations for small business cyber/information security.

• NISTIR 7621 Small Business Information Security:  The Fundamentals

There’s certainly many more things you should be doing, but it’s a great place to start if you’re an IT Director or CIO at a small business and you’re not sure what you should be doing to secure your company’s information and systems.

There’s plenty of ways to spend money on shiny cyber security software and devices, but this is a great foundation to build your company’s defenses on before start buying Intrusion Detection Systems or hiring Penetration Testers or Social Engineers.