To a cash-strapped SMB, security seems like a frill, not a necessity. But an incursion can be lethal to a firm’s survival. In a previous article, we discussed how SMBs can manage IT just like the big guys using best practices. This article considers measures that can make the biggest difference to an SMB’s security posture. Some of the strongest protections against hackers can be common sense actions that protect from threats at little or no cost.
The first step in security is deciding what to secure. A risk assessment gives an overall picture of the security needs of the company. It also serves as a foundation for prioritizing expenditures towards improving security. A simple risk assessment form suitable for SMB can be found here.
Yes, written policies provide legal protection. Just as important: they make employees aware of proper conduct. There are many types of policies, and they are all valuable. However, for an SMB, an acceptable use policy is critical. Since it describes how employees can use company systems and resources, it goes a long way towards protecting your investments in the business. You can find an example at http://www.webtitan.com/infographics-guides/company-internet-usage-policy-template-808.
Many security breaches are caused by ignorance on the part of employees. Remember that employee who wanted to help the Nigerian prince? (I hope not.) You do not have to create your own training material. Some great free programs include:
When was the last time you changed your wi-fi password? A wi-fi signal does not end at your office walls. Your first line of defense consists of good passwords that are changed at least once a month.
Servers, routers, switches, and all end-user devices should have passwords as well. Remember that many devices have default passwords, and change them immediately after installation.
To check how secure your end-user devices are, use a free security checkup available at many websites. Caution: some of these websites are not reputable and can actually infect your computer with malware. Make sure that you use one of the websites listed at
To check how secure your network is, use a free penetration testing tool from Metasploit .
Use the phishing filters and security software that you already have; in your browser. Depending on the browser, select Options or Settings. You will see the content filter and pop-up, cookie, and certificate settings.
There is absolutely no excuse. You must install an automatically updated malware protection package on all end-user devices. This includes personal mobile devices if they use the company wi-fi. (Make sure to cover this in your acceptable use policy.)
One of the best investments you can make is email filtering. Spammers assume SMBs do not have expensive sophisticated email filtering. But email filtering is not always expensive. SpamTitan is a really flexible anti-spam solution and can be deployed in whichever way suits you best:
A whopping 40 percent of data loss is due to human error, according to Kroll Ontrack research. “It is more often the everyday occurrences such as accidental file deletion or spilling a hot drink on a piece of IT hardware that could cause the biggest disruption to a business if data is not properly stored and backed up” TechRadar.
There are many choices for data backup. Of course, this should be determined based on an SMB’s data volume. Here are some options: file or volume synching, cloud backup, traditional backup software, and replication.
From a security perspective, it is critical to apply system software updates as soon as possible. This applies to operating system software (Windows, Mac OS, Linux) and any security software such as antivirus. Ideally, choose network security solutions that auto update.
Installation of software on the server or any business device must be preapproved. This is especially important because the software is increasingly open-source, so regular accounting controls do not apply. Each additional application introduces new vulnerabilities, increasing your company’s attack surface. For example, it might be convenient to have remote access to the server, but this provides attackers with another way to penetrate your network. Installing remote access software, then, should be considered a business decision in which risk is balanced against benefits.
Whenever new devices are added to the company network, you risk data loss, malware, and attacks. If the company permits BYOD (bring your own device), the device must have the same security standards as any company-owned device. (Another item for your acceptable use policy.)
SMBs may be using the cloud more than larger enterprises, especially for SAAS (software-as-a-service) applications. Access to cloud resources should have the same restrictions as access to on-site company resources.
The measures described require minimal time and expense, especially considering that a security breach could threaten an SMB’s survival. In fact, a costly “comprehensive security solution” software package would be ineffective without first taking the steps above.
Sign-up for email updates...