I wrote about the lack of security training in SMBs recently, as evidenced by the findings of a study co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec.
In that earlier blog, I promised to give some advice to help SMBs and their employees attain a higher security consciousness. In truth, the scope of this topic is extremely wide. One has to start somewhere though, and below are some of my recommendations.
Have easy-to-understand rules
When it comes to computer security, one problem in SMBs is the general lack of clear rules on what is allowed and what is not. However, the reverse is true for small and medium-sized businesses that make an effort to bolster their security standards. This heightened security awareness generally manifests itself as a huge list of actions or activities that are prohibited in the office. While I will be the first to admit that having some regulations is preferable to nothing at all, the presence of too many rules can actually be counterintuitive.
Think about it -- when was the last time you actually read through the multi-paged software licensing agreement for a new software purchase? Or even flipped through the 12 pages of printed terms and conditions when signing up for a new credit card?
When organizations go overboard with their rules and regulations, uses respond in the same way -- nobody reads them! What I would advocate instead would be a much shorter list of easy-to-understand rules written in plain English. Additional reinforcement can be instituted by means of a short presentation as part of a monthly staff meeting, via e-mails, or putting them up at prominent locations around the office.
Emphasize the importance of passwords
While great strides have been made in terms of alternative authentication methods, such as dual-factor verification and the use of biometrics, the humble password remains the mainstay today when it comes to protecting confidential or proprietary information.
I have written previously about some simple password tips for the SMB, as well as the importance of protecting your e-mail passwords from attacks. Without belabouring the point that passwords are important, proper reinforcement to staffers will be required from time to time on this point.
Engage in discussions on what is permissible
It would be easy to slap on arbitrary rules about what is allowed or prohibited in the office. Some examples might be the use of iPhones, other smartphones, or even the prohibition of USB drives. While I am sure there are government departments, military installations or certain industries where absolutely no leeway can be given pertaining to these rules, such draconian standards will simply serve to drive users to use them on the sly.
What probably works better would be to actively engage workers in defining these regulations. Is the installation of computer games permissible? What about engaging in Flash or Web-based games during office hours? Should restrictions be relaxed during lunch hour? What of Facebook and general Internet access?
By creating the regulations without prior consultation, the IT department is effectively placing the burden of policing on itself. If the rules are created by the "floor," however, then everyone is engaged to police the computer infrastructure. In my mind, this is the much better alternative.