Practical IT Security for SMBs

PhilBy Phil Koster
Senior Cloud Engineer
Trivalent Group, Inc.

Many small and midsize businessess (SMBs) don’t have any security expertisein-housee.  If you have ever tried to research IT security, you have already found that nearly any search regarding IT security-related topics returns an overwhelming list of results that are either products you should buy or complicated articles targeting IT professionals.  Today’s legal climate in the United States places an increasing amount of liability for security breaches on businesses.   According to CBS News, while only 14% of victims suffered direct out-of-pocket losses in 2012, 68% suffered indirect losses averaging $1,769.  If your company were held liable for identity theft of 1,000 customers and 68% of the victims suffered the average loss, your company could be looking at more than $1.2 million dollars in restitution to the victims.  Moreover, you potentially have fines, lawsuits from other companies like banks, actual damages of the 14% that had direct losses, loss of current customers, and reputation damage.  So, what does a small business need to do to avoid some of these pitfalls?  I have always heard about the 80/20 rule: 80% of the result takes 20% of the effort, while the remaining 20% takes 80% of the effort.  This rule applies to IT security as well.  The difficulty many small businesses have is figuring out what that 80% result in IT security looks like.

IT security for SMB can get complex, but it doesn’t start that way and it doesn’t need to become complex.  One of the key concepts that needs to be understood is widely known as “Defense in Depth.”  Defense in Depth is simply the concept that you need multiple levels of security.  Much like large buildings have fire breaks and large ships have water compartments, your security needs to have a way to mitigate problems if one method is compromised.  Once you understand how the concept applies to your IT security environment, it will get much easier for you to organize and understand.

Any company’s IT security posture needs to start with senior management.  There must be a fundamental understanding of the priority at the uppermost levels, and priority needs to be appropriately given to the security efforts.  This is most commonly done via corporate policies.  Many small businesses shy away from policies because policies are generally viewed as restrictive, rigid, and simply too formal.  The reality is that a policy does not need to be any more complicated than an email sent to all employees and then printed and posted.  It does not need to be a 5-page-long document taking into account every possibility with no room for exceptions.  Your security policy (or, more likely, policies) should cover items, such as passwords, acceptable use, data center alarm procedures, asset management, and response procedures.   The lack of good response procedures are two of the five lessons highlighted in the now-infamous Target security breach.

The most basic security measures are physical security.   Today, nearly every building has locks and alarms on it.  But what gets overlooked sometimes is physical security of the servers.  Just because you only have two servers doesn’t mean that the server shouldn’t be locked in a ventilated closet or secured to the building with a security cable like this one.  If you still use tapes or USB drives for backups, don’t forget to secure those as well.  Don’t overlook securing your desktops, laptops, and other mobile devices, either.  In addition to the loss of an expensive asset, many of these devices also contain valuable data in the form of draft copies and cached data (data temporarily stored by the computer to speed up processing or allow offline access).

Information Security generally is a broad area.  Many people know the basics such as running a good anti-virus software and routinely updating your computer or your mobile device.  What often gets overlooked, though, is the need to make sure all of your installed applications get updated and all of your non-PC devices get their updates.  Windows Updates is not going to update, for example, Oracle, Java, or Adobe Acrobat Reader.  In 2014, 83% of all vulnerabilities were in applications and only 13% were in the Operating System such as Windows (see “Most vulnerable operating systems and applications in 2014”).  Of the 12 applications with the most vulnerabilities in 2014, only one of them gets updated through Windows Updates.  Some of you may have noticed that 83% and 13% is only 96%.  So, what was the other 4%?  Hardware.

Passwords receive a lot of attention, but there is also a lot of conflicting information about passwords on the Internet.  Passwords come down to 5 simple rules:

  • Have a policy and educate your users
  • Length is more important than complexity (was not always the case)
  • Don’t keep using the same password everywhere (for help on how to remember them all, see this article)
  • NEVER share passwords and, if you have to for some reason, make sure you change it at your first opportunity
  • If you have to write down a password, do not store it in the same place as the device is used on (e.g., don’t put your network login information on a post-it note under your keyboard or mousepad)

A critical part of security is the people.  Users, meaning anyone who logs on to your network whether they are employees or contractors, must be educated on the existence of the policies, what they say, what they mean, and how to apply them.  There is also a lack of fundamental education on computers in the workplace.  This is not just an SMB problem, but the impact can be larger with smaller companies.  Education on things like how to pick good passwords that are easy to remember, how to use password managers, how to identify social engineering attempts via phone and email, and other similar matters.  Many viruses only get on a network because an employee does not understand how to identify a fake email or the ramifications of clicking on the link (or attachment) inside those emails.

Last but not least is compliance.  All the rules and technical safeguards do absolutely no good if no one checks to ensure they are complied with.  Many organizations that have small IT staffs often disable many security-based logging features because they generate too much noise to filter out.  But you cannot find what you’re not looking for.  So, you must have a policy that is in place and enforced to audit your security at least once per year.  When you do audit your security, don’t forget about the security management and policies.  Once every year or two, you should have dedicated time to review and clean up the security policies.  I once worked for an organization that, as of 2008, still had a list of acceptable software on which the newest version of Windows listed in that policy was Windows 3.11 (the version before Windows 95).

Security does not have to be complicated.  The practical basics are the creation and use of policies, protecting the hardware, educating your users, and auditing your security to make sure it is working.  There are many more things which you can do, but this basic framework will get you heading in the right direction.  All of the above are matters that Trivalent can assist with, including the creation of policies, so please do not hesitate to reach out to us on any or all of these points.