7 Tips for Small Business Security
7 Tips for Small Business Security
Richard Bejtlich, FireEye
June 18, 2014
Digital defense is often a challenge for small- and medium-sized businesses. SMBs frequently lack the computer security staff and resources found in larger
corporations. It’s just not economical. This article shares seven tips for SMBs, with an emphasis on low- or no-cost solutions.
1. Identify and minimize information assets. Do you really need that data? This question prompts the user to consider whether the data they collect, store
or transmit is truly necessary for business operations. Sometimes, outside regulators seek to control data, as is the case with the Payment Card Industry Data
Security Standard (PCI DSS). Even when not regulated, everyone, from corporate employees to home users, should think about the sorts of data they manipulate. The
best way to keep sensitive data out of the hands of criminals might be to never let it exist in digital form.
2. Keep sensitive data off the network as much as possible. Everyone has sensitive data, but not all that data needs to be connected to a network. For
example, a company processing tax returns could keep that information on systems not connected to the Internet. Alternatively, sensitive data might reside on
external hard drives that are attached to a PC or laptop when needed, and detached when not needed. If a criminal can’t reach sensitive data because it is off the
network, he can’t read, steal, or delete it.
3. Provision a separate PC for sensitive business functions, like banking. SMBs should identify one or more computers to be used only for sensitive
functions, like electronic commerce. The PC used to transfer money from one account to another should only serve that function. Users should not check their email,
browse random Web sites, connect USB thumb drives, or take any other actions on the “e-banking PC.” Criminals want to steal the usernames and passwords associated
with bank accounts, but their job is a lot harder if users never check email or Web sites on the computer they use for doing banking. If possible, only connect this
PC to the network when doing electronic commerce.
4. Enable two-factor authentication (2FA) wherever possible. 2FA refers to practices that require users to log into accounts using something more than a
username and password. Some readers may be familiar with tokens that flash a new six-digit code every minute or so. Free solutions, like Google Authenticator are
another option. Some sites provide users with the option of adding a code sent via Short Message Service (SMS) texts, sent to mobile phones. No solution is
hack-proof, but whatever option a service provides above and beyond simple usernames and passwords, users should test and adopt.
5. Leverage trustworthy cloud solutions. Most computer users aren’t interested in being information technology experts. Many SMBs can’t afford in-house IT
departments, or don’t consider IT as a core business function. In these cases, companies should evaluate cloud providers. Theoretically, a cloud provider can hire
the necessary expertise to keep data secure, and scale that expertise across the customer base. The trick is identifying trustworthy cloud providers. Ask or
research the following questions: 1) what government agencies subscribe to the cloud solution, and 2) what documentation can the cloud provider provide concerning
its security practices? Cloud providers who fail these two tests may not yet be ready for conscientious SMB customers.
. Infragard is a non-profit organization run by the US Federal Bureau of Investigation. The FBI created Infragard in 1996 to assist the private sector with
cyber defense. Infragard maintains chapters in virtually every major city across the country. These chapters hold regular meetings with content designed to
educate attendees on cyber threats and mitigations. Such events allow attendees to learn from each other, and also meet their local FBI agents. Organizations
should become acquainted with their respective law enforcement agents prior to any serious security incident. The worst time to first meet an FBI agent is when
you need that agent’s help with a computer intrusion.
7. Treat cyber security as a business problem, not a technical problem. Business leaders
have traditionally considered cyber security to be a problem for the IT staff. Executives thought that if they just bought the right software, they could “solve”
the “hacker problem.” However, the pervasiveness and consequences of digital breaches have encouraged those leaders to properly consider digital defense as a
business problem. No one buys a software package to manage human resources, believing that the new application has “solved” hiring, retention, and other personnel
challenges. No one subscribes to a cloud-based sales solution, thinking that they have “solved” their customer acquisition and satisfaction problems. In a similar
way, executives will find security software to be necessary, but not sufficient, to address hacking woes. It is important for leaders to devise a security strategy
appropriate for their business, then execute on that strategy on a daily basis.