When I worked at a small business the IT guy also took care of the phone system, assembled bookcases if needed, and occasionally worked the front desk when the receptionist was on break. In a small business everyone wears many hats and you often don’t really have the skills necessary to do everything asked of you all that well. Or if you do, you probably don’t have the time.
But certainly small and medium businesses understand the importance of computer security and make sure they take all the steps necessary to protect their business from the potentially devastating losses of cybercrime! Well, that’s half right. According to a survey done last year by Symantec, SMBs know security is important but they are not taking proper steps to protect themselves. In fact, a stunning 33 percent of SMBs don’t even run basic antivirus software.
The SMBs surveyed said they don’t have the staffing, budget, or bandwidth to properly protect themselves. And with the economy what it is, most of them believe this problem will only get worse. They say they’ll be spending even less on computer security this year. In reality they could be saving themselves right out of business. The risk of cyber attack for SMBs has never been greater. The prevalence of the Zeus toolkit, for example, allows any criminal of even limited skill to steal money from an SMB. More details on Zeus can be found here. However, Zeus is only the most proximate of the threats small businesses face—there are plenty more threats out there.
In fact, the threat facing SMBs is so bad, there are a number of solutions being suggested in the security community as a way to have extra protection on the machine you use for online banking. Last year the FS-ISAC, NACHA, and FBI even suggested having a dedicated machine just for online banking. You can read that recommendation here. All of these extra security measures make sense to me. In a small office, even petty cash is put in a locked box. Why wouldn’t you take extra precautions on a computer that has access to all your business’ money?
But before you can have extra protection you have to have protection to begin with. There is just too much risk out there to go unprotected. SMBs need to take this lesson to heart before cybercriminals clear out their bank accounts and put them straight out of business.
The fact of the matter is, however, that all of the protection in the world is not worth much if it’s not used properly. We’ve all heard the standard security best practices a thousand times, but here are a few specifically for SMBs:
• If your company does not have the skills to make itself secure, get help!
• Install an integrated security suite solution on all servers, desktops, and laptops; this will prevent virus infection, block intruders, protect privacy, and stop malicious programs.
• Close vulnerabilities in operating systems and applications by regularly applying updates and patches. This includes Web browser plug-ins. Patch management solutions are available to help ease the process of keeping all systems and applications up to date. This will help prevent security holes that act as doors for malware to gain access to a system. The ability of the Conficker worm to spread so widely early last year was due in large part to so many systems not having a simple patch applied—a patch that was made available months before the outbreak ever occurred.
• Always keep antivirus software up to date by downloading virus definitions as soon as they are available. Without the most recent updates, antivirus software will not protect against the latest threats.
• Email is still a popular method of spreading malware, so companies should install an integrated antivirus, anti-spam, and content filtering solution on email servers such as Microsoft Exchange.
• Require employees’ passwords to be a mix of letters and numbers—not names or dictionary words—and to be changed often.
• Require that employees have their own individual user accounts and have access only to the information and applications they need to do their jobs. This will ensure that if an attacker is able to infect a user’s machine, they likely won’t be able to gain access to the entire infrastructure.
• Employees are on the front lines and educating them not to use file-sharing programs or download free programs from the Internet will help ensure they don’t inadvertently invite malware onto their machine. They should also be educated to not click on links in emails.
• Back up systems as well as applications and files at least daily, and test the backup and recovery process periodically to be sure it works. Be sure files and systems can survive a disaster by keeping backups off-site.