IT security 101 for small to mid-sized businesses

  • November 30, 2017
  • |
  • Posted by Kevin Gemeroy

One of the most common issues we see with potential clients is a lack of focus on the basics of IT security.

We get it – security is a pain in the butt.  But chances are that you’ve got a lock on the door to your house and probably an alarm as well.  It’s likely monitored 24×7 to make sure that the police show up if someone tries to break in.  You need at least an equivalent level of security for your company’s IT systems, no matter how small your business might be.

At Dynamic Computing, our clients range from just a few employees to a few hundred.  While the level of sophistication of IT systems and operations vary widely, the level of security needed really doesn’t.

Unless you’re running a health care or financial services company (or similar) that’s required to comply with regulations like HIPAA, HITECH, SOX, or GLBA, chances are that the standard you should shoot for is commercially reasonable for a business of your size and scale.

Here are some basics that every business needs at every location.  If you’re not sure that you can check off every box on this list, it’s time to call in the pros to talk about what and how things should improve.

Commercial-grade firewalls.  By commercial-grade, we mean one that’s engineered for a business of your size.  It’ll likely be manufactured by a IT security company such as WatchGuard, SonicWall, Cisco, or Sophos.  It needs to be updated regularly (the device usually doesn’t do this automatically – someone has to pay attention to it) and monitored to ensure that someone knows what type of activity is happening on your system.  It’s also important to know that your ISP’s modem or router doesn’t meet this standard – you need something far more powerful than the inexpensive options they provide to their customers.

Centrally-managed endpoint security software.  Otherwise known as Anti-Virus or Anti-Malware software.  The type and brand of software itself is actually less important than the central management piece, believe it or not.  While there are a variety of options when it comes to endpoint security and some are definitely better than others, the most important thing is that all of your users’ devices are kept on a current version of the software with updated definitions, and that threats are dealt with centrally by IT rather than being left to each user to self-report.

Enterprise-grade data protection.  This means permissioning and encrypting sensitive data and devices.  If a laptop gets lost or stolen, the last thing you want to hear is that an Excel spreadsheet was left on there with names, addresses – or even worse – social security numbers or payroll info.  Aside from being required to disclose the breach to the authorities, you’ve also breached your employees’ or clients’ privacy and trust.  Further, information like this needs to be restricted via security group-level permissions to prevent someone from accidentally getting into it in the first place.

Centralized user management. We’re seeing this problem more and more as companies take a cloud-first approach to computing.  Especially inside of tech companies and startups where the use of Macs and cloud-based file sharing are the norm, it’s important that every device connects to a central user database and the file sharing system is a business version that’s setup to prevent everyone from getting into everything.  Microsoft’s Azure AD is a great and inexpensive cloud-based solution that can help address this issue, as well as enterprise-grade solutions like Dropbox Business.

E-mail/Web Filtering. If the DNC can get hacked via an e-mail phishing scam, your business can too.  In fact, phishing attacks are one of the most common ways the bad guys get into a system in any size of organization.  There are a number of layers to this including firewall-based filtering, anti-spam software with reputation blocking, and link/attachment filtering, all of which are critical security measures to implement.

User Education. We’re saving the most important for last.  Your users need to be trained on how to look for attempts to compromise their credentials.  The most common mistake people make is using the same password for the company’s system as they use for their personal accounts.  Even if your security is top-notch, if the CFO’s credentials are compromised because he used the same password as his (previously hacked) Yahoo account, you’re still up the creek without a paddle. For most top executives, there’s a very good chance that your name, e-mail address, and password have been floating the dark web for years and no less than a few hundred bad guys already have it. 

Finally and most importantly, you need a pro handling this stuff for your business.  That pro is probably not your internal IT guy.  It’s rarely an MSP with less than ten employees, and it definitely shouldn’t be your friend who works at a big tech company.  If you’re relying on advice that you’re not paying the going rates for, it’s probably about as good as your golf buddy’s tax tips.

No Comments

No comments yet.

Leave A Comment