When I work with a client,  that has no formal information security plan or framework, the first thing I recommend getting started on is a security awareness program. This is a fancy way of saying "training staff how to identify, reduce, and react to suspicious...