I've long been a fan of the advice from the Australian Signals Directorate (ASD) [previously the Defence Signals Directorate (DSD)]. Not too long ago they changed their "Top 4" to their "Essential Eight".
What I like about ASD's advice is that it's easy to read, in comparison ISO 27001:2013 might be full of great advice but even the name is indecipherable jargon to most people.
ASD's Essential Eight are simple to understand, and with the exception of Application whitelisting, they are relatively easy to implement. They are:
- Application whitelisting
- Patch applications
- Disable untrusted Microsoft Office macros
- User application hardening (Uninstall shovelware)
- Restrict administrative privileges
- Patch operating systems
- Multi-factor authentication
- Daily backup of important data
While it might be fun to install blinky-light boxes that run fancy machine learning algorithms and cost a fortune. ASD's Essential Eight are cheap, simple and effective and will definitely get you your best bang for your buck.