IT security 101 for small to mid-sized businesses

  • November 30, 2017
  • |
  • Posted by Kevin Gemeroy

Probably the most common issue we see with potential clients is a lack of focus on the basics of IT security.  We get it – security is a pain in the butt.  But chances are that you’ve got a lock on the door to your house and probably an alarm as well.  It’s likely even monitored 24×7 to make sure that the police show up if someone tries to break in.  You need at least an equivalent level of security for your company’s IT systems, no matter how small your business might be.

At Dynamic Computing, our clients range from just a few employees to a few hundred.  While the level of sophistication of IT systems and operations vary widely, the level of security needed really doesn’t.  Unless you’re running a health care or financial services company (or similar) that’s required to comply with regulations like HIPAA, HITECH, SOX, or GLBA, chances are that the standard you should shoot for is commercially reasonable for a business of your size and scale.

Here are some basics that every single business needs at every single location.  If you can’t confidently check off every box on this list, it’s time to call in the pros to talk about what and how things should improve.

Commercial-grade firewalls. By commercial-grade, we mean one that’s engineered for a business of your size.  It’ll likely be manufactured by a IT security company such as WatchGuard, SonicWall, Cisco, or Sophos.  It needs to be updated regularly (the device doesn’t do this automatically – someone has to actually stay on top of it) and monitored to ensure that you know what type of activity is happening on your system.  To be very clear, your ISP’s modem or router absolutely does not meet this standard.

Centrally-managed endpoint security software. The software itself is actually less important than the central management piece, believe it or not.  While there are a variety of options when it comes to endpoint security and some are definitely better than others, the most important thing is to ensure that all of your users’ devices are kept on current software with updated definitions, and that threats are dealt with centrally by IT rather than being left to each user to self-report.

Enterprise-grade data protection. This means permissioning and encrypting sensitive data and devices.  If a laptop gets lost or stolen, the last thing you want to hear is about is the one Excel spreadsheet that was left on there with every employee’s name, address, social security number, and payroll info.  Aside from being required to disclose the breach to the authorities, you’ve also breached your employees’ privacy and trust.  Furthermore, information like this needs to be restricted via security group-level permissions to prevent someone from accidentally getting into it in the first place.

Centralized user management. We’re seeing this problem more and more as companies take a cloud-first approach to computing.  Especially inside of tech companies and startups where the use of Macs and Dropbox are the norm, it’s important that every device connects to a central user database and the Dropbox version used is the business version that’s setup to prevent everyone from getting into everything.  Microsoft’s Azure AD is a great and inexpensive cloud-based solution that can help address this issue.

E-mail/Web Filtering. If the DNC can get hacked via an e-mail phishing scam, your business can too.  In fact, phishing attacks are one of the most common ways the bad guys get into a system in any size of organization.  There are a number of layers to this including firewall-based filtering, anti-spam software with reputation blocking, and link/attachment filtering, all of which are important if not absolutely critical.

User Education. We’re saving the best and most important for last.  Your users need to be trained on how to lookout for attempts to compromise their credentials.  The most common mistake people make is using the same password for the company’s system as they use for personal accounts.  Even if your security is top-notch, if the CFO’s credentials are compromised because he used the same password for his Yahoo account, there’s a very good chance his name, e-mail address, and password have been floating the dark web for years and no less than a few hundred people already have it. 

Finally and most importantly, you need a pro handling this stuff for your business.  That pro is probably not your internal IT guy.  It’s rarely an MSP with less than ten employees, and it definitely shouldn’t be your friend works at a big tech company.  If you’re relying on advice that you’re not paying the going rates for, it’s probably about as good as your golf buddy’s tax tips.

No Comments

No comments yet.

Leave A Comment