Security is a concern for every business, but small to medium-sized businesses (SMBs) may fall into the trap of thinking that a serious security strategy is just too much expense and hassle.
Not so. Of course, the cost of anti-virus solutions and firewalls are simply a part of doing business. But tying common security technologies into an overall plan is mostly a matter of staff training and careful evaluation of your business' critical functions and needs.
Fundamentals of Small Business Information Security, a report from the National Institute of Standards and Technology, details a strategy for small business to take a comprehensive view of their network security. The report is free for members of IT Business Edge here in the IT Downloads Library.
The 20-page report (which is pretty terse for an NIST publication) breaks its recommendations out into weighted categories:
Most SMBs - at least, we hope most SMBs - will have their bases covered when it comes to the basics: anti-virus software, firewalls, data backup, employee training.
It's when you get into the highly recommended suggestions that you find security gaps where SMBs might either not have the resources or simply never thought to employ that level of security planning. Among those suggestions:
Background checks for new employees: Hiring somebody is just about the most obvious way to give them the keys to the kingdom, in terms of data and network access. Do credit checks and verify degrees and other credentials on job candidates' resumes, if possible. At the very least, call their job references.
Teaching employees to be suspicious: It's not warm and fuzzy, but all employees should be trained to cast a jaundice eye toward anyone who calls or emails asking for access to company info or, even more suspiciously, the network. At the very least, train your employees to ask the caller for some piece of information that only an authorized person would know.
Proper disposal of old computer equipment: Hard drives hang on to data forever unless you make special effort to get it off there. There are companies that specialize in eco-friendly tech disposal, but the process can be pretty low-fi - and kinda fun, depending on your point of view. As the report notes:
The destruction can be done by taking apart the disk and beating the hard disk platters with a hammer.
In the "other" category, SMBs get advice about disaster recovery and business continuity, which are often thought of as the domain of larger enterprises, but on a basic level just come down to identifying your most important business assets and devising ways to protect them. The report includes a series of survey templates, like the one depicted below, to help with the process.
If you are seriously interested in business continuity, you should check out the Business Impact Analysis Questionnaire from our partners at Toolkit Cafe. The Word-based template takes a more highly structured approach to cataloging your business processes and data, in case something bad happens