timeline
  title First Steps for a Small Business Security Roadmap
  section Basics - These are absolute must do items for any sized company - I've seen too many small businesses not perform these steps.
    Inventory of business assets : Technology the business has : Software the business uses : Data the business has and where is it : Third Parties the business uses : Locations where business is conducted or business assets may be present : Personnel : tools of the trade 
    Reduce chances of Business Email Compromise : Implement SPF, DKIM and DMARC : Perform training on identifying phishing e-mails : Utilize a third party service to filter e-mail
    Update everything : Make sure your firewall is still supported by the vendor : update your firewall and review it's configuration : setup regular updates of all other electronic devices from your inventory : Validate every 3 months that all devices have been updating
  section Intermediate - This is a MUST do if you handle PHI and are a HIPAA BAA or CE.
    Establish a Security Program : scroll down to see more details on what is required

I have two blog entries on topics related to the chart above 

Inventory E-mail Security

The three images below are links and lead you to more in depth information on the topic from the HHS.
If your business handles ANY Private Health Information (PHI) or Personally Identifiable Information (PII) and are associating with or are a Covered Entity, you need to be doing all of the following NOW. Start with taking your inventory and perform a Risk Assessment

Link to HHS Security Rule
Link to HHS Physical Safeguards
Link to HHS Technical Rule