Just started work at an SMB? Or perhaps you are heading out on your second interview for the position of IT manager, and will have the opportunity ask some questions of your own. To help you develop a good feel of the challenges ahead-or perhaps to better appreciate the state of security in your current organization, feel free to do a quick run-through of the security health checklist below to see how you fare.
Check for the Presence and State of Antivirus Software
Is antivirus software deployed? Is a uniform application suite deployed, or does it consist of a smorgasbord of 90-days evaluation copies together with those purchased off-the-shelf at various times of the year? Are the definitions up to date? Additional clues on the level of seriousness pertaining to security can be determined by how they are deployed. Are they stand-alone consumer-level deployments, or is a central server used to track the health of individual machines and push the requisite updates to them?
Check Whether Encryption is Used for Wi-Fi Networks
There is not a more telling sign of a poor culture of security than an unencrypted Wi-Fi network. Indeed, fulfilling many of the other items in this list is debatable depending on needs and inherent limitations of the SMB in question. However, not enabling encryption on Wi-Fi is completely inexcusable, and speaks of blatant ignorance or negligence. And no, configuring WEP and WEP2 are not considered a good security practice either.
Is Internet Explorer 6.0 Used?
I've written about the plague of Internet Explorer 6.0 earlier this year. Unfortunately, recent reports show that as many as one in five workers still use IE6, in spite of multiple attempts by Microsoft to get users to migrate to something newer. Reasons for sticking with IE6 vary and could involve complex issues such as the inability of legacy CMS or ERP systems to work on other browsers. Regardless, the plethora of vulnerabilities in IE6 make its mere presence a serious chink in the integrity of your company's defenses.
Are Provisions Made for Software Patching?
Microsoft has its monthly Patch Tuesdays, while Adobe has committed to a quarterly patch schedule for its software. Does your SMB pay attention to the various patch schedules and make provisions for software patching, especially when large or critical updates are being released? Also, is anyone watching out for security updates for the other applications used by the company?
What's the Training Schedule for Security Like?
I've long advocated the need to conduct periodic security training for non-IT employees. Untrained staffers are far more likely to ignore good security practices or fall prey to social-engineering attempts on the company. Unfortunately, most SMBs consider the time spent on training to be a waste of resources. As it is, I can safely say that businesses that have any sort of security training schedule are those that take security seriously.
The Deployment of Encryption on Laptops and Smartphones
Unless you are working at a defense-related company, I would take the presence of encryption deployed on laptops and smartphones to be an encouraging sign. It takes work to properly protect data in the company, so I would consider any SMB that uses encryption to be an organization that takes security seriously.
Presence of Backup and Disaster Recovery Procedures
Having proper, documented backup and disaster recovery procedures is like having the fire escape maps and routes properly documented and labeled. When there is a fire, it doesn't really matter how many meetings the fire committee held, but whether the plans are valid and work. In this context, the most stellar businesses would be those that not only have workable procedures that are well-documented, but that also periodically are tested.
The above list is meant only as a simple guide. If you feel that there are other important measures of the state of security that I left out, do speak out in the comments section below. Alternatively, you can drop me an e-mail. I look forward to hear from you!