First of a three-part series on security for SMBs…
While every company must protect its intellectual property and data that falls under privacy and compliance requirements, not every organization has the trained data security personnel, financial resources and technical wherewithal to perform such security operations. This is particularly true for small to midsize businesses (SMBs) that often struggle to stay afloat from an operational budget perspective, let alone the additional costs they must pay for mandated security.
Webroot, an OpenText company, recommends that SMBs not try to swallow the proverbial ocean of security options at once and instead focus on five steps to create a solid cybersecurity grounding that can help them make the most of their efforts.
5 steps to cybersecurity
- We recommend that SMBs commission an external security provider to conduct a security audit. There is a data security truism that must not be ignored: You cannot protect what you do not know is at risk. This exercise provides a holistic view of the data you have, its value, locations and its level of risk of being compromised by bad actors.
- Security teams should adopt a security framework. IT security is a combination of people, processes, and technology. For SMBs, the Center for Internet Security (CIS) provides a straightforward approach to defining what you need to be doing on a continuous basis to maintain a strong defense as an organization.
- Determine how much your company can spend on IT security. With your audit in hand, investigated processes and an accurate understanding of what is going to be involved, it is time to look at what security programs your company can afford to implement — and understand what you cannot afford to implement yet. Here you determine your risk priorities, what compromises you might be faced with and how you minimize those risks. You determine if you will handle security in-house, outsource or have a mix of both.
- Execute your ongoing IT security plan. First, however, ensure you have written policies, procedures and escalations in place for the identified risks. This plan must have the means to be able to enforce those policies and procedures, as well as the ability to monitor, review, revise and maintain them.
- Rinse and repeat. Conduct regular and continuous assessments of risk and reinforcement of your now established security posture, including vulnerability assessments, patch management, user training, and regularly testing attack responses. Be conscious that changes and introductions of new elements all demand a security review to ensure your security posture is maintained and not compromised.
In the next installment, we’ll cover threats to DNS security and 5 ways to use threat intelligence for a more effective defense.
George Anderson, Director of Product Marketing, OpenText SMB&C
George Anderson has spent the past 20 years in the IT Security industry in roles. He is currently responsible for product marketing for Webroot business security products – Endpoint and DNS Protection and Webroot Security Awareness Training.