I thought this tweet might make a good blog post. I'm sure everyone in infosec will have their own answers, and all will be, generically, correct. Most of what I've seen is disagreements over one or two of the points, or how to remedy a point, or the implementation. What is a correct answer will depend on the environment and company.

Lets start with #1 - Password Management:

This is an area I love and spend a lot of time in, glad to see it being given attention. However, I would rephrase this one as credential/access management. A broader umbrella, but I want to make sure things like 2FA are implemented, you aren't just thinking about users, but IoT devices, server accounts, etc.

Password managers are never a bad idea, and I feel like it would be a good to provide it to employees. This encourages best practices, limits excuses, and allows you to recover credentials if an employee is hit by a bus wins the lottery. I don't like the idea of written down passwords, it could allow an other employee to snoop, but honestly, I would rather they do that than reuse passwords. Subscribe to HIBP for your domain. Don't enforce stupid complexity rules, encourage passphrases.

Regarding servers/IoT/etc. store these in a password manager so they can be audited/recovered. Again, I don't like written as much, but it's better than simple or reused, and critical passwords should actually be printed and kept in a safe. Make it clear that leaving default credentials and/or using simple passwords is unaccepable. Starting these things earlier will make it easier to secure things later, whatever happens, track these passwords somewhere.

Lastly, back in the access management category, limit administrator access, this is going to save you a ton of pain.

2 - Email Management:

Another one I would rename/expand as employee training. Yes, this would encompass what to look for in email, but as others have said, it's not possible to train or avoid every phishing email. That said, you can do better. Train them to report these things, if one employee misses a phish and clicks, another might catch it. Look for the obvious things, it may be a simple as hovering over links (a lot of people outside infosec don't even know about this!).

Along with reporting phishing, other types of training. What makes a good password, why 2FA is important, what other threats are out there.

3 - Use more secure communication

Strike this one. Centralized logging/alerting would be my #3. You aren't going to know a problem exists if you can't see it. I'm looking at sysmon, ELK, and netflow here, as well as Zeek, Suricata, OSSEC and the like. Lastly, resource monitoring (sudden CPU spikes, all disk space being used, etc.)

4 - Losing Data

Again, I'll keep this one, but with some modifications. For a small business, I'm less worried about desktop encryption (perhaps mobile, not sure what my BYOD/Laptop situation is), and I care none at all about shutting down at night. Redundant, regular backups is a must though! As with redundancy in general. This isn't just for desktops though, any servers/systems I have. The last thing I want is to be part of a headline like this or this.

Wrapping up

These aren't necessarily in order. If they were I would start with backups/redundancy, removing local admin, centralized monitoring, employee training, and then the rest of credential/access management. All in all though, not a bad list, and there's a lot of room for other ideas depending on the environment.