10 ways small businesses can save on se­cu­rity

When it comes to SMBs, not ev­ery­thing is rel­a­tive — es­pe­cially when it comes to se­cu­rity. SMBs run the same kinds of risks and face the same kinds of bad guys that big­ger com­pa­nies do. Un­for­tu­nately, SMBs don’t have the same kinds of re­sources, so they ne

InformationWeek - - Contents - DE­BRA DONSTON-MILLER

When it comes to SMBs, not ev­ery­thing is rel­a­tive — es­pe­cially when it comes to se­cu­rity. SMBs run the same kinds of risks and face the same kinds of bad guys that big­ger com­pa­nies do. Un­for­tu­nately, SMBs don’t have the same kinds of re­sources, so they need to get cre­ative when it comes to stretch­ing their se­cu­rity budget dol­lars. In this ar­ti­cle, we pro­vide some rec­om­men­da­tions for get­ting the most bang for your se­cu­rity buck

hen it comes to tech­nol­ogy and com­pany size, many things are rel­a­tive. The smaller the com­pany, the smaller the need for, say, servers and soft­ware li­censes. In at least one area, how­ever, all things are not rel­a­tive: se­cu­rity. Small and mid­size businesses face the same kinds of threats and se­cu­rity breaches that their big­ger brethren do, but they typ­i­cally lack the budget and in-house ex­per­tize to deal with those prob­lems. And it’s not like SMBs can just throw up their hands and forgo se­cu­rity. Rather, they have to fig­ure out how to do se­cu­rity smart — that is, they have to de­ter­mine the best and most ef­fec­tive ways to ap­ply the re­sources they do have.

Stretch­ing se­cu­rity dol­lars is a tricky propo­si­tion be­cause the stakes are so high: Do it right, and no one will likely even know. Do it wrong, and you put your com­pany’s crown jewels — and rep­u­ta­tion — on the line. But there are ways that SMBs can ap­proach tech­nol­ogy, busi­ness prac­tices and train­ing, among other things, to get the most bang for their se­cu­rity buck. It’s not about cut­ting cor­ners. Rather, it’s about do­ing se­cu­rity smart.

“You don’t ever want to coun­sel com­pa­nies to try and do se­cu­rity as cheaply as pos­si­ble, be­cause cut­ting the wrong cor­ners will cost you a lot more than what you saved,” says Chris Doggett, Se­nior VP of Cor­po­rate Sales, Kasper­sky Lab. “Es­pe­cially in small businesses — and some busi­ness ver­ti­cals as well, such as pub­lic sec­tor — com­pa­nies are faced with not hav­ing enough budget to do ev­ery­thing they would like to do, and with not hav­ing enough people and re­sources to do ev­ery­thing they would like.”

SMBs are chal­lenged not only by their limited se­cu­rity bud­gets, but also in their abil­ity to spend that budget. That is, when it comes to prod­ucts and ser­vices, there’s an enor­mous amount of choice out there. SMBs of­ten don’t have the staff or spe­cific know-how nec­es­sary to ef­fec­tively and ef­fi­ciently pri­or­i­tize prob­lems, de­ter­mine the kinds of prod­ucts that will solve those prob­lems and then eval­u­ate those prod­ucts in or­der to choose the right one for the or­ga­ni­za­tion.

“[SMBs are] look­ing at all of the dif­fer­ent prod­ucts and ser­vices they could con­sume, and it’s daunt­ing,” Doggett says. “They’re look­ing at a mas­sive ar­ray of dif­fer­ent op­tions. It’s re­ally easy to see some­one who is re­spon­si­ble for IT for their com­pany, for ex­am­ple — some­one who’s more of a gen­er­al­ist than a se­cu­rity specialist — get overwhelmed with that ar­ray of choices and of­ten make the wrong de­ci­sion about where to ded­i­cate their budget and re­sources.”

In this story, we look at the scope of the se­cu­rity is­sues that SMBs face and 10 ways in which small and mid­size com­pa­nies can tackle these is­sues us­ing low-cost — and some­times no-cost — prod­ucts and prac­tices.


While the items in this top 10 list are not or­dered by im­por­tance, set­ting pri­or­i­ties may be the most im­por­tant thing an SMB can do to save money on se­cu­rity. It’s cer­tainly the first thing a small or mid­size busi­ness should do. Ex­perts agree that no

com­pany — no mat­ter its size — can hope to be com­pletely se­cure. All com­pa­nies, there­fore, need to de­cide what ar­eas and as­sets are most in need of pro­tec­tion, and to fo­cus re­sources there. Ask ques­tions such as: What cor­po­rate as­set would cause the most pain if it were to be stolen or breached? What kind of at­tack would be the most em­bar­rass­ing? Which cus­tomers are at risk? What risk do com­pany em­ploy­ees pose? Which reg­u­la­tory com­pli­ance man­dates is my or­ga­ni­za­tion re­quired to meet? All com­pa­nies will have a long list of things they would like to lock down; the dif­fer­ence be­tween big com­pa­nies and SMBs, in this re­gard, is that a larger com­pany may be able to pro­tect more things far­ther down on its pri­or­ity list.

It’s im­por­tant to note that IT man­agers should not at­tempt to set these pri­or­i­ties on their own — one man’s crown jewels is an­other man’s cos­tume jew­elry, af­ter all. Get in­put from people who can speak with author­ity (and per­spec­tive) from dif­fer­ent cor­ners of the com­pany.


Just as you can’t ex­pect to pro­tect ev­ery­thing, you can’t hope to pro­tect against ev­ery­thing. “If han­dling pay­ment cards is your busi­ness, then there’s a nar­rowly de­fined set of con­trols on which you can fo­cus,” the 2013 Ver­i­zon Data Breach In­ves­ti­ga­tions Re­port states. ”If your IP is a hot com­mod­ity, you’ve got your work cut out for you, but know­ing the at­tack pat­terns (and shar­ing them) can make that work more fruit­ful. Take steps to bet­ter un­der­stand your threat land­scape and deal with it ac­cord­ingly.”

In­deed, there are lots of threats and vul­ner­a­bil­i­ties out there, but not all of them are nec­es­sar­ily threat­en­ing to your par­tic­u­lar com­pany in your par­tic­u­lar in­dus­try. “Look at where the most com­mon ex­ploits and vul­ner­a­bil­i­ties are for your type of busi­ness,” says Doggett. “Con­cen­trate on pro­tect­ing against those — not those the­o­ret­i­cal risks that might hap­pen ‘if.’ ” This type of risk as­sess­ment can help com­pa­nies in their over­all se­cu­rity pri­or­i­ti­za­tion ef­forts. And, as with de­ter­min­ing what’s most valu­able to the com­pany, the process of de­ter­min­ing what’s most threat­en­ing to the com­pany shouldn’t be per­formed in an IT vac­uum.


If your com­pany does not have se­cu­rity and/or ac­cept­able-use pol­icy in place, get one into place — stat. Pol­icy can help your or­ga­ni­za­tion save money by pro­vid­ing ex­plicit di­rec­tions on what em­ploy­ees can and can­not do in the workplace with sys­tems and data. Em­ploy­ees who are do­ing the right thing are a se­cu­rity mea­sure in and of it­self.

Af­ter you have de­vel­oped pol­icy, your work is still not done, how­ever. Any kind of se­cu­rity or ac­cept­able-use pol­icy should be con­sid­ered a liv­ing doc­u­ment. This not to say that changes should be made of­ten — and cer­tainly not with­out no­tice to the people who have to ad­here to the pol­icy — but as tech­nol­ogy and cul­ture change, so, too, should your com­pany pol­icy. ( Think about how so­cial me­dia, for ex­am­ple, has changed our ideas of what’s ac­cept­able and what’s not, es­pe­cially in the ar­eas of mar­ket­ing and cus­tomer sup­port.)

Then comes en­force­ment and re­in­force­ment. By en­force­ment we of course mean mak­ing sure that em­ploy­ees are made ac­count­able for ad­her­ing to pol­icy. By re­in­force­ment we mean mak­ing sure that se­cu­rity pol­icy aware­ness isn’t just a once-and-done thing. Af­ter em­ploy­ees ini­tially sign off on pol­icy — whether it’s right af­ter they are hired or when changes to the pol­icy are made — or­ga­ni­za­tions need to make sure that they pe­ri­od­i­cally re­mind end users of pol­icy and of the con­se­quences of ig­nor­ing pol­icy. This can be done through on­line train­ing or even as part of an em­ployee’s per­for­mance eval­u­a­tion process.


End user ed­u­ca­tion should be closely con­nected to the de­vel­op­ment and en­force­ment of se­cu­rity pol­icy. In fact, users who know why a par­tic­u­lar pol­icy is in place will be much more in­clined to ad­here to it. Users should be trained on, for ex­am­ple, how to rec­og­nize a phish­ing scheme, how to cre­ate and main­tain strong pass­words across per­sonal and cor­po­rate sys­tems, and the ways in

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.