Accessibility Tools

Skip to main content

Getting Started with Security in a Small Organisation

Getting started in cyber security

Get started with your Organisation's Security Programme! The hardest part of anything is often getting started, whether it is a personal fitness habit or getting started with our organisation's cyber security protection.

This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.

 Glossary Terms in this Blog Article - hover to view, click for full glossary.



Today we're going to be looking at "What to consider, when getting started on the cyber security protection ladder." We all know that we should eat more healthily, get fitter, etc. just like most organisations know that they should improve their cyber security protection programme. The hardest part of doing many of these things that are good for us is in getting started. Where should organisations start first with instilling cyber security into the organisation?

To start us off today Nick’s going to going to go through the approach we recommend.

Default sample awareness and knowledge infographic

Approaches to Getting Started

To get started with security you need to ask yourselves, what appears to be some very basic questions about the organisation, who, what, where, why? But, pretty soon you’ll realise this is a lot more involved, so the first thing to consider in approaching cyber security is to split desired outcomes and outputs into five control groups. There are other approaches, but we believe using these “groups of controls” are an effective way to get started.

The groups of controls that any organisation should include in its cyber security programme are:

  • Identify & Assessment controls – this includes identifying all its critical assets, its approach to cyber security risk management, as well as determining its risk appetite.
  • Prevention or Protection controls – includes those controls that prevent or protect bad things from taking place on the outset. Examples of such controls include anti-malware solutions, firewalls, security policies, password or authentication guidance, user awareness training, etc.
  • Detection controls – these controls are to monitor and detect things that can and have happened. Examples of these controls are network monitoring, log files, alarm systems, etc.
  • Response controls – these controls kick in as soon as it has been identified that something bad has probably taken place and action is required to deal with it. Examples of such controls include response policies and plans.
  • Recover controls – these are in place to ensure that the organisation will be able to recover once the threats / risks have been dealt with. Examples include backups, backup policies and procedures.

Each of these groups of controls can be broken down further into three sub-groups, and we will provide some examples of each a little later.

  • People controls – people are at the heart of every organisation and should drive the cyber security programme. In many respects where staff are able to take appropriate actions, they may appear to be a cheap way to ensure several security aspects. Most people controls don’t work in isolation, they are most effective in combination with other controls. Examples of such controls include user awareness training, reception staff (who only let in people into the office where they have met certain criteria), staff identifying phishing or ransomware attacks and not clicking on suspicious links, etc.
  • Process controls – these controls provide standardised structure for any approach, and include policies, processes, procedures, guidelines, plans, standards and frameworks. Examples include security policy, password guidance, cyber security frameworks, encryption standards to be used, response plans, backup procedures, etc.
  • Technology controls – are often controls that provide some level of automation to stop something based on a set of rules, or to identify what has been happening, or to take actions at regular intervals (like hourly backups). Examples include, firewalls, anti-malware, automated backup solutions, etc.

Large organisations have undergone several trends where we have seen a focus on investment mainly into prevention controls, then over time into a balance between prevention and detection controls. Then, as it became a reality that most organisations are likely to get compromised there was greater investment into response controls. More recently with ransomware attacks the emphasis for some became recovery controls, to ensure that they won’t be caught out by ransomware attacks.

In many cases the greatest immediate benefits for most organisations when they don’t have any controls in place are often to start with technical prevention controls. With the right combination of these controls most organisations are able to reduce the exploitation of the simplest attacks. As these types of controls are considered to be simply cyber hygiene controls, we recommend these as a starting point too and spending much of our time on this group.

Once the basics are in place as a first step, it would be time to consider the other controls. Today we provide at least two examples in each sub-group for organisations to pick out something that may be relevant for them.

We don’t want to create a long list of things to do on the outset, so we will try and keep this getting started list as easy as possible. But organisations must remember that the list is nothing more than a getting started list, and that there may be several things that are not relevant for some and other things that may be relevant for some but may be missing due to the fact that this is only a getting started list.

Finally, it is important to remember that some controls fall into several control groups or may be adapted for more than one control group.

Default sample Threat Map infographic

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more. 

Images from