Essential security strategies for SMEs

In light of the recent cyber attacks on international businesses such as Google and Sony, and news that a teenage hacker broke into NASA, it’s only natural that smaller businesses are worrying about the state of their online security.

Small business owners are under a great deal of pressure as they need to know their core business, as well as having a basic knowledge of many other things including accounting and IT security. However, there is no need to worry, as a few basic rules suffice in gaining IT protection.

A recent report by ENISA (European Network and Information Security Agency) on breaches of data security regulations in European companies puts it in a nutshell: When it comes to IT security, small companies are in a particularly difficult situation. While they all have a great deal of data which requires protection, most of them have neither the staff nor the knowledge to protect it effectively.

For example, a law firm cannot afford to hire three security experts nor should a PR agency need to invest large amounts of money in IT security consulting. IT security should be very easy and manageable in terms of financial investment. However, small business owners should know which areas of IT require protection.

Basic to basics

No law firm, doctor’s practice or agency can function without computers, and only in rare cases are their networks purely internal. Instead, communication with customers, patients and vendors – or even just research – often requires an Internet connection, meaning that fewer and fewer companies can manage entirely without one.

It is therefore important that all computer systems are equipped with basic protection, i.e. an up-to-date virus scanner and a personal firewall. Rather than implementing multiple solutions which have the potential to be confusing and time-intensive to manage, all-encompassing protection packages can provide modules which work seamlessly together.

Keep it confidential

Many small companies handle extremely sensitive customer data, from patient information stored by a doctor’s surgery to client documents held by a law firm. All this information, which is not intended for third-party viewing, should be encrypted.

Encryption translates data to a secret code and is the most effective way to achieve data security. To read an encrypted file, a key or password is needed to unlock the translated information.

Use correct passwords

Customer databases, access to email and computers themselves should be protected using passwords. However these tools are only secure if the passwords used are at least eight characters long and composed of both upper-case and lower-case letters, as well as special characters and numbers.

They should also be used only for a single purpose. Memorising a secure password like “3zP_0S$v” and then using it for everything is not good practice. This is when a ‘password manager’ tool can be helpful to a small business as it memorises secure passwords.

Establish rules

Small business owners know which areas of their company need protecting, but what about their employees? In most cases, staff won’t be IT experts either. Two strategies are recommended here; firstly, clear rules should be established for using IT systems, these should specify prohibited activities such as sharing passwords or using USB flash drives. Secondly, rules should be backed up with appropriate security settings.

Before investing in security technology, small businesses should assess the historical and current malware detection capabilities of various anti-malware products on the market. Security software for small businesses has in the past been expensive and confusing; however it is a vital aspect of business that cannot be overlooked in today’s troublesome cyber environment.

David Emm has been with Kaspersky Lab since 2004. His role as Senior Regional Researcher included presenting information on malware and other IT threats at exhibitions and events, and providing comment to both broadcast and print media. He also provides information on Kaspersky Lab products and technologies. He was promoted to his current position in 2008. David has a particular interest in the malware ecosystem, ID theft, and Kaspersky Lab technologies, and conceived and developed the company’s Malware Defence Workshop. David has worked in the antivirus industry since 1990 in a variety of roles, including that of Senior Technology Consultant with Dr. Solomon’s and Systems Engineer and Product Manager at Network Associates.

  • Hongwen Zhang

    These are all very good tips David! Small business owners are incredibly vulnerable to data breaches. Without the proper security knowledge, businesses must find a cost worthy option before it’s too late. One of the ways they can protect themselves is by ensuring network layer Data Leakage Prevention (DLP) to prevent the outflow of user/corporate data. Our company, Wedge Networks continues to lead the efforts through Deep Content Inspection to accomplish this task for ISPs and large enterprises alike.