Just started work at an SMB? Or perhaps you are heading out on your second interview for the position of IT manager, and will have the opportunity to ask some questions of your own. To help develop a good feel for the challenges ahead – or perhaps to better appreciate the state of security in your current organization, feel free to do a quick run-through of this security health checklist to see how you fare.
Click through for a seven-step checklist to assess your company's security health.
Is antivirus software deployed? Is a uniform application suite deployed, or does it consist of a smorgasbord of 90-day evaluation copies together with those purchased off-the-shelf at various times of the year? Are the definitions up to date? Additional clues on the level of seriousness pertaining to security can be determined by how they are deployed. Are they stand-alone consumer-level deployments, or is a central server used to track the health of individual machines and push the requisite updates to them?
There is not a more telling sign of a poor culture of security than an unencrypted Wi-Fi network. Indeed, fulfilling many of the other items in this list is debatable depending on needs and inherent limitations of the SMB in question. However, not enabling encryption on Wi-Fi is completely inexcusable, and speaks of blatant ignorance or negligence. And no, configuring WEP and WEP2 is not considered a good security practice, either.
Paul Mah has written about the plague of Internet Explorer 6.0. Unfortunately, recent reports show that as many as one in five workers still use IE6, in spite of multiple attempts by Microsoft to get users to migrate to something newer. Reasons for sticking with IE6 vary and could involve complex issues such as the inability of legacy CMS or ERP systems to work on other browsers. Regardless, the plethora of vulnerabilities in IE6 makes its mere presence a serious chink in the integrity of your company's defenses.
Microsoft has its monthly Patch Tuesdays, while Adobe has committed to a quarterly patch schedule for its software. Does your SMB pay attention to the various patch schedules and make provisions for software patching, especially when large or critical updates are being released? Also, is anyone watching out for security updates for the other applications used by the company?
Paul Mah has long advocated the need to conduct periodic security training for non-IT employees. Untrained staffers are far more likely to ignore good security practices or fall prey to social-engineering attempts on the company. Unfortunately, most SMBs consider the time spent on training to be a waste of resources. As it is, businesses that have any sort of security training schedule are those that take security seriously.
Unless you are working at a defense-related company, take the presence of encryption deployed on laptops and smartphones to be an encouraging sign. It takes work to properly protect data in the company, so consider any SMB that uses encryption to be an organization that takes security seriously.
Having proper, documented backup and disaster recovery procedures is like having the fire escape maps and routes properly documented and labeled. When there is a fire, it doesn't really matter how many meetings the fire committee held, but whether the plans are valid and work. In this context, the most stellar businesses would be those that not only have workable procedures that are well-documented, but that also periodically are tested.