While the time crunch of attending to the demands of the daily business has typically created an accumulation of security problems for many businesses, information technology professionals at SMBs can improve their company's security posture by focusing on small fixes to those problems that require time but not a lot of money, says Dylan O’Connor, chief technology officer for Thrive Networks, a Staples company that offers managed information technology for small and medium businesses.
"There are some things that are not just low cost--they are no cost--that customers can do to improve their security," he says. "These steps may be obvious to IT managers, but a lot of our customers do not have IT administrators."
From taking stock of outdated systems and weak passwords to performing due diligence on third-party providers, companies can improve their security without impacting the bottom line. SMB security experts offer five ways to do better without costing more.
1. Take stock of your security
Companies should start by taking stock of their computer systems, the relative importance of those systems to the business, and their security. The exercise costs a company nothing but employees' time, and by pinpointing outdated systems and poorly secured systems, could end up saving companies that cost of a breach, says Charles Henderson, director of the research labs at managed-security service provider Trustwave.
"Where possible, look at ways where you can minimize attack surface," he says. "I have seen a lot of SMBs that have unnecessarily overcomplicated things."
When a company inventories their systems, they should also make sure that their systems are configured to limit end users' privileges, not allowed to log in as Windows administrators. In addition, companies should check to see that passwords--especially those for the Windows-domain and other critical servers--are not left as the default password and are not easily guessable, says Thrive's O'Connor.
[Ensuring that employees are abiding by good password policies is difficult, but there are simple ways to protect a business from workers who might choose 'password123'. See Four Ways To Strengthen SMB Password Security.]
2. Train your end users
To compromise a system, most attackers require an end user to take an action, so teaching employees about secure behavior can deliver dividends, says Brett Hansen, executive director of end-user product strategy at Dell Software.
"The end users themselves have become the greatest security threats," he says. "While other elements of your security solution can be locked down in someways, the users require constant vigilance."
Companies should schedule a monthly lunch meeting with employees to talk about security, says Thrive's O'Connor. Make it fun: Tackle a single topic each time, bring in a case study or some phishing e-mails, and teach employees the importance of securing their systems and devices, he says.
"And, when you talk to your staff about Internet security, talk not only in the context in the office, but also at home," O'Connor says.
3. Re-image your systems regularly
Companies should also consider creating a process for the quick re-imaging of employees' computers. While creating a standard image and deploying it on new systems is a function of IT, it can also be of great benefit for businesses security if done regularly, says Michael Gough, a senior security analyst with a mid-sized gaming company, who asked that its name not be used.
Any machines that generate more than one warning in a week from the firm's antivirus software or the company's firewall or intrusion detection system should be re-imaged. If forensics is important to the firm, IT staff should pull the hard drive and put the image on a new drive.
"If a person gets an AV alert, and you see another alert in a week, you re-image the box," Gough says. "If you see three in a month, re-image the PC."
Moreover, a company can gain significant security benefits from regularly re-imaging its employees' systems. Only 36 percent of firms who had a security incident detected the intrusion within 90 days, according to Trustwave's 2013 Global Security Report. By re-imaging every quarter a company could potentially eliminate threats that had infected its employees' systems before the average firm would have even detected the threat.
"If you don't keep your data on the machine, the downtime is really, really low, but the gain is really, really high," Gough says.
4. Vet your third parties
From cloud providers to consultants to outsourced transaction systems, third parties can add vulnerability to your business. Third-party firms were responsible for the compromised server in almost two-thirds of data-breach incidents investigated by Trustwave, according to the firm's report.
"It is really difficult to get a grasp on the security of your third-party providers," Trustwave's Henderson says. "And we are called in to respond to a lot of incidents caused because of the security practices of those third party providers."
SMBs should make sure to question their third-party provider's security measures at the time when they have the most leverage--before they sign on. Some questions to start with, according to Thrive's O'Connor, are: What type of firewall or security is protecting the provider's infrastructure; how many security professionals do they have on staff and what are their certifications; how often do you patch and what is their process; and, what heightened security measures--such as two-factor authentication--do they provide to their clients.
"You are not spending the money vetting those third parties, but you are making sure that they have spent the money," Henderson says.
5. Use cloud and managed service providers
Companies comfortable with their third-party service providers' security could improve their own security by moving to the cloud. While large enterprises may be able to create internal services that are more secure than those provided in the cloud, small and medium businesses will be hard pressed to surpass security in the cloud. For that reason, moving services--such as e-mail, backups, and file sharing--into the cloud could save money and be more secure on average, says Thrive's O'Connor.
"The question is no longer what should I move to the cloud, but is increasingly becoming, what isn't a good candidate for the cloud?" he says.
Managed service providers can also take over security tasks with which the company's employees may not be qualified to handle. Companies under 250 employees that may not have a full-time information-security manager should consider using a managed security service provider to administer complex security devices, such as intrusion-detection systems and log analysis systems.
"You really need to really be good at this area to do the job right," says security specialist Gough. "If you don't have staff already looking at your firewall rules and router rules, you will not gain anything out of managing an IDS."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.