IT security for the SME

Security means different things to different people and even within the IT sector you will probably come across a wide variety of definitions. For the purpose of this article IT security is defined as the ability to guarantee continuity of business and confidentiality of business data through systematic analysis and management of threats and risk.

When we talk about security we often talk about the AIC Triad; the objective of any IT security policy is to ensure the availability, confidentiality and integrity of business data. If one of these three principles is compromised the IT security policy has failed and business continuity is jeopardised.

IT security threats can come from a variety of sources and as a small business it's easy to become complacent. This article will take a look at some of the common threats small businesses face and how those threats can be mitigated to reduce risk and improve security.

IT Security Threats to the small business

  • Loss of data - The biggest threat to businesses of all sizes is loss of data; be that through accidents or mistakes, malicious intent or hardware/software failure. A well setup and maintained IT infrastructure will massively reduce the risk of loss through each of these paths but can never completely rule out data loss. This is why we insist that all of our clients have a suitable offsite backup policy in place.

  • Viruses and Malware - Viruses and malicious programs form one of the most pervasive threats to businesses in the modern age. In 2003 Trend Micro estimated viruses cost businesses $55 billion in damages, up 100% from 20021.  Every business using IT should invest in some form of virus protection and ensure that all their programs are updated with the latest patches.

  • Fire & Disasters - No one wants to think about the worst happening but small businesses, especially those that operate on a single site, are at a far higher risk of loosing their business completely in the event of a fire or disaster. It's a sobering fact to realise that after a fire, 70% of businesses will fail within 3 years2. Regular backups, stored offsite, and disaster recovery procedures are crucial if a company is to recover from a fire quickly and maintain continuity.

  • Theft - Theft is a two fold problem for all businesses. The loss of IT assets obviously has financial implications but the loss of intellectual property can be even more devastating. Statistics show that 600,000 laptop thefts occur annually, totalling an estimated $720 million in hardware losses and $5.4 billion in theft of proprietary information3. Reducing the risk of data loss and minimising the damage if data is stolen involves the introduction of physical security policies, the encryption of data stored on laptops and removable media and the secure backup of company data.

  • Hacking - It's easy to fall in to the trap of believing that only large companies are subject to the attention of hackers. Whilst it is unlikely that you would be targeting specifically by a hacker most hack attempts are automated; as such any connection which is publically accessible (such as your internet connection or wireless network) is a potential security risk.

Passwords - Make or break IT security

The CERT/CC (Computer Emergency Response Team / Coordination Center), estimates that 80% of all network security problems are caused by bad passwords.

Hackers can use freely available tools to break weak passwords in a matter of minutes so ensuring your passwords are strong is probably the most fundamental issue for small businesses.

Check out our accompanying guide to password security and get access to our free password analyser

 

"After a fire, 70% of businesses will never start up again or will close within the next three years"

 

The internal threat to IT Security

Possibly the hardest threat to quantify for managers of SME's is the threat posed by members of their own staff.

Although malicious damage from staff is relatively rare, internal mistakes account for the large majority of security breaches.

The increased use of USB drives, unrestricted use of internet, personal e-mail, such as Hotmail, and instant messaging all introduce significant security gaps into the modern organisation.

Each of these is a potential back door for malicious programs and IT should be bolted down to remove these gaps whilst managers and staff should be trained to understand the risks.

 

1 - 2004, Computer World
2 - Home office statistics
3 - Safeware Insurance, 2003

The Good News

The good news about IT security is that many of these threats can be mitigated by a combination of well implemented IT, staff training, good practice and careful planning. Security should be re-framed as the responsibility of the entire organisation and not simply left to the ICT department. Only be ensuring security remains a high priority, high visibility priority will managers keep ahead of changes in technology that could negatively impact upon old security policies.

If you're concerned about security or would like to know more about our security services please feel free to call us for a free, no-obligations chat about your needs. Geek-Guru; your ideal security partner in a changing world.