Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


5 Ways For SMBs To Boost Security But Not Costs

Straight-shooting advice--and some out-of-the-box thinking--on how smaller companies can save money on security while doing it better

For many businesses, improving their security seems like the proverbial money pit: but it doesn't have to be that way.

While the time crunch of attending to the demands of the daily business has typically created an accumulation of security problems for many businesses, information technology professionals at SMBs can improve their company's security posture by focusing on small fixes to those problems that require time but not a lot of money, says Dylan O’Connor, chief technology officer for Thrive Networks, a Staples company that offers managed information technology for small and medium businesses.

"There are some things that are not just low cost--they are no cost--that customers can do to improve their security," he says. "These steps may be obvious to IT managers, but a lot of our customers do not have IT administrators."

From taking stock of outdated systems and weak passwords to performing due diligence on third-party providers, companies can improve their security without impacting the bottom line. SMB security experts offer five ways to do better without costing more.

1. Take stock of your security
Companies should start by taking stock of their computer systems, the relative importance of those systems to the business, and their security. The exercise costs a company nothing but employees' time, and by pinpointing outdated systems and poorly secured systems, could end up saving companies that cost of a breach, says Charles Henderson, director of the research labs at managed-security service provider Trustwave.

"Where possible, look at ways where you can minimize attack surface," he says. "I have seen a lot of SMBs that have unnecessarily overcomplicated things."

When a company inventories their systems, they should also make sure that their systems are configured to limit end users' privileges, not allowed to log in as Windows administrators. In addition, companies should check to see that passwords--especially those for the Windows-domain and other critical servers--are not left as the default password and are not easily guessable, says Thrive's O'Connor.

[Ensuring that employees are abiding by good password policies is difficult, but there are simple ways to protect a business from workers who might choose 'password123'. See Four Ways To Strengthen SMB Password Security.]

2. Train your end users
To compromise a system, most attackers require an end user to take an action, so teaching employees about secure behavior can deliver dividends, says Brett Hansen, executive director of end-user product strategy at Dell Software.

"The end users themselves have become the greatest security threats," he says. "While other elements of your security solution can be locked down in someways, the users require constant vigilance."

Companies should schedule a monthly lunch meeting with employees to talk about security, says Thrive's O'Connor. Make it fun: Tackle a single topic each time, bring in a case study or some phishing e-mails, and teach employees the importance of securing their systems and devices, he says.

"And, when you talk to your staff about Internet security, talk not only in the context in the office, but also at home," O'Connor says.

3. Re-image your systems regularly
Companies should also consider creating a process for the quick re-imaging of employees' computers. While creating a standard image and deploying it on new systems is a function of IT, it can also be of great benefit for businesses security if done regularly, says Michael Gough, a senior security analyst with a mid-sized gaming company, who asked that its name not be used.

Any machines that generate more than one warning in a week from the firm's antivirus software or the company's firewall or intrusion detection system should be re-imaged. If forensics is important to the firm, IT staff should pull the hard drive and put the image on a new drive.

"If a person gets an AV alert, and you see another alert in a week, you re-image the box," Gough says. "If you see three in a month, re-image the PC."

Moreover, a company can gain significant security benefits from regularly re-imaging its employees' systems. Only 36 percent of firms who had a security incident detected the intrusion within 90 days, according to Trustwave's 2013 Global Security Report. By re-imaging every quarter a company could potentially eliminate threats that had infected its employees' systems before the average firm would have even detected the threat.

"If you don't keep your data on the machine, the downtime is really, really low, but the gain is really, really high," Gough says.

4. Vet your third parties
From cloud providers to consultants to outsourced transaction systems, third parties can add vulnerability to your business. Third-party firms were responsible for the compromised server in almost two-thirds of data-breach incidents investigated by Trustwave, according to the firm's report.

"It is really difficult to get a grasp on the security of your third-party providers," Trustwave's Henderson says. "And we are called in to respond to a lot of incidents caused because of the security practices of those third party providers."

SMBs should make sure to question their third-party provider's security measures at the time when they have the most leverage--before they sign on. Some questions to start with, according to Thrive's O'Connor, are: What type of firewall or security is protecting the provider's infrastructure; how many security professionals do they have on staff and what are their certifications; how often do you patch and what is their process; and, what heightened security measures--such as two-factor authentication--do they provide to their clients.

"You are not spending the money vetting those third parties, but you are making sure that they have spent the money," Henderson says.

5. Use cloud and managed service providers
Companies comfortable with their third-party service providers' security could improve their own security by moving to the cloud. While large enterprises may be able to create internal services that are more secure than those provided in the cloud, small and medium businesses will be hard pressed to surpass security in the cloud. For that reason, moving services--such as e-mail, backups, and file sharing--into the cloud could save money and be more secure on average, says Thrive's O'Connor.

"The question is no longer what should I move to the cloud, but is increasingly becoming, what isn't a good candidate for the cloud?" he says.

Managed service providers can also take over security tasks with which the company's employees may not be qualified to handle. Companies under 250 employees that may not have a full-time information-security manager should consider using a managed security service provider to administer complex security devices, such as intrusion-detection systems and log analysis systems.

"You really need to really be good at this area to do the job right," says security specialist Gough. "If you don't have staff already looking at your firewall rules and router rules, you will not gain anything out of managing an IDS."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.