Securing the SMB can be a daunting task. You need a healthy budget to cover the costs of a good security system, you need to hire a security pro (and what does a security pro do, anyway?) and, well, you don’t know how you are going to make any of this happen.
On my travels and in conversations, I’ve heard plenty of reasons why SMBs hesitate about addressing cybersecurity. Yes, part of the reason is they still aren’t convinced they need it, but for many, it really does come down to dollars and cents. They don’t have the funding or the expertise readily available to put together a solid security system. That’s why I was interested in attending a session at SpiceWorld 2019 called “Securing the SMB,” during which James Pierce, IT coordinator with Paterson Pacific Parchment Company, explained how SMBs can protect their network and data, keeping costs down and the company running smoothly.
It Always Comes Down to the Human Factor
There are some security basics that every SMB should deploy—firewalls, AV software, data backups—but that’s not enough, Pierce said. The basics don’t cover today’s more sophisticated attacks and they certainly don’t cover your biggest risk: the people who access the network. Employees are the weakest link in any security program. That’s not news, but it is the area that companies struggle with. The tendency is to blame security training that it isn’t effective, but the real problem, Pierce said, is that your employees don’t care about cybersecurity. It’s abstract. It doesn’t affect them if the company suffers a data breach.
The trick is to make them care, to give them ownership of the company’s cybersecurity well-being, he said. You don’t need formal training programs to do this. Instead, it is often better to take a manual approach. Talk to them. Show them what a phishing email looks like and how to tell a malicious link from a real one. Step them through what could happen if they clicked on the link or opened an attachment from an unknown sender. Let them ask questions and make sure they know they can always check if they aren’t sure. The idea is to get them to understand the risks involved with a cyberattack and to take ownership of their role in keeping the SMB safe and secure.
Pay More Attention to Your Backup Solution
Pierce told the story of visiting a client whose server died. He asked if they had a backup of the data, and the client said yes. Where was it? On the server. The client lost everything. The moral of the story, he said, is your backup solution is a big part of your security system, so you need to handle those backups with care. They shouldn’t be stored on the same server as your active files. Pierce recommended storing a backup offline where ransomware can’t get to it.
Remove Unnecessary Admins
Sometimes there are too many people with their fingers on the controls. Too much access opens the door for a mistake or security incident. An easy way to improve SMB security is to take a hard look at who has admin access and determine whether that access is necessary. Eliminate blanket admin access and keep administration responsibilities strictly to what is necessary for that person’s job duty.
Upgrade Your Current Systems
Face it, you will have to spend some money on your security system. But one way to do this efficiently is to upgrade the services you have now. Use next-generation firewalls that will be more efficient in what it blocks or gives you more control. Same with web-content filtering—you should be able to block malicious websites and .exe files without worrying that you are missing the content and files you need.
Learn to Audit Yourself
Reading file logs isn’t fun. As someone once told me, it might be the most boring job there is, but it is also one of the most important. You can turn to someone inside the company and train them to check firewall logs and note router switches. Everyone in the company should be encouraged to get better at documenting and reporting anything suspicious. If you need extra help auditing yourself, there are free tools such as Nmap that will scan your network for problems.
Cybersecurity is important for SMBs, and it is encouraging to see more reports that state they are taking it more seriously. But you don’t have to break the budget to get started on building your security system. What Pierce presented is just a start for companies to begin rethinking their security programs. As he said when he started his talk, “This is very simple stuff.”