Hi all - I run a small business (20 employees) in a field that is frequently the target of attackers, and I’m trying to upgrade our security awareness/infra.
I’d like to have everyone use a VPN on their corporate devices, and have the ability to also use it for general internet use as well. Would Proton Business VPN be the best solution for this?
What other cybersecurity tech/processes do you use?
Thanks.
This is a friendly reminder that r/smallbusiness is a question and answer subreddit. You ask a question about starting, owning, and growing a small business and the community answers. Posts that violate the rules listed in the sidebar will be removed. A permanent or temporary ban may also be issued if you do not remove the offending post. Seeing this message does not mean your post was automatically removed.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Do you have any tech staff or IT guy you can turn to? Best would be to setup your own VPN which is pretty trivial, that way you are in full control.
you should probably speak with a consultant
VPN will only encrypt traffic In transit…
How are you securing the endpoints?
We pretty much use VPNs nowhere anymore. We have minimal onprem infrastructure which needs to be accessed by any of our clients
Outlook and OneDrive data is encrypted in transit using SSL anyways.
We use Microsoft 365 Business Premium, with InTune to implement and enforce configuration and policies in order to meet Essential Eight recommendations based on the clients targeted maturity level. Pair with Windows Defender for Business for proactive threat identification and remediation advice.
Those who need an extra step get something like Huntress managed.
We implement MFA and SSO rigorously and use Conditional Access policies to ensure that access from non compliant devices is prevented.
It’s not quick,.easy or straight forward.
All that tech is great until one of your employees falls for a phishing attack via email. Spend time on awareness training to avoid somebody exposing their credentials and letting an attacker in. Conditional access policies in 365 paired with secure endpoints and knowledgeable users is a solid strategy to start with.
Check out MSSPs. They can manage it all for you. Costs a bit, but probably less than IT staff or the cost of a compromise.
Also, make email security a big priority. 
No, no tech staff. I could probably figure it out… what service would you recommend I look into?
Would that mean employees to have to be connected to that VPN to access corporate email etc?
This is helpful, thanks! Looking at Huntress for that. Considering their endpoint protection too, but might be overkill vs. Microsoft’s?
Any particular conditional access policies you’d recommend?
A location based sign in policy. If you’re US based and your users never login outside of the US then you will want to block all sign ins outside the US. If somebody needs to travel you can create an exception for that user then remove it once they return.
Also if you haven’t already I would enable MFA for all users in your tenant as well.
Copy. Would you turn off text-based 2FA and only use an app/yubikey?
Any type of 2 factor is better than none but I prefer using an Authenticator app. We have both as options and let user decide.