10 must-have steps for an effective SMB information security program

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.

Monday, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that

    Requires Free Membership to View

cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security, told the committee that 87% of the breaches could be thwarted by "simple to intermediate" preventative measures.

The NIST guide, "Small Business Information Security: The Fundamentals," is the work of Richard Kissel, a computer scientist at the NIST computer security division. The guide, in draft form but soon to be finalized, does not assume technical expertise -- a decision borne from Kissel's years on the road teaching small businesses owners and executives how to protect their information, systems and networks.

"They had no idea what to do," Kissel said. Members of his audiences -- printers, mechanics, doctors, dentists -- were good at what they did, he said, "but what they did was not IT, and it wasn't information security." More alarming to him was that the NIST seminars, done in conjunction with the FBI and the Small Business Administration, reached an average 1,000 businesses annually, a drop in the bucket of the 25 million SMBs in this country that account for 50% of all new jobs here.

"We thought if maybe we had a document -- just a small, simple, little easy read that tells people how to do this thing called 'protect your information and systems and networks' -- then we could reach more people," Kissel said.

Written in plain terms, the 20-page booklet lays out 10 "absolutely necessary" actions a small business should take to protect its information, systems and networks, and 10 "highly recommended" practices, both listed below. It also includes a short section on contingency and disaster recovery planning, as well as business policies for information security.

And in case someone needs to ask why any of this is important, he also explains that.

Worksheets for prioritizing and protecting an organization's information and for estimating the cost of security breaches and snafus are also included.

Kissel's 10 "absolutely necessary" steps to an effective information security program (consult the pamphlet for how-to's):

  1. Protect information, systems and networks from damage by viruses, spyware and other malicious code.
  2. Provide security for your Internet connection.
  3. Install and activate software firewalls on all your business systems.
  4. Patch your operating systems and applications.
  5. Make backup copies of important business data/information.
  6. Control physical access to your computers and network components.
  7. Secure your wireless access point and networks.
  8. Train your employees in basic security principles.
  9. Require an individual user account for each employee on business computers and business applications.
  10. Limit employee access to data and information, and limit authority to install software.

And here are the 10 security trouble spots where computer users are highly recommended to use caution:

  1. Opening email attachments from unknown senders and responding to emails asking for sensitive information.
  2. Clicking on Web links in emails and instant messages.
  3. Clicking OK on pop-up windows and other hacker tricks.
  4. Doing online business and banking.
  5. Skipping criminal background checks on prospective employees.
  6. Web surfing.
  7. Downloading software.
  8. Not getting expert help when you need it. The Better Business Bureau, Chamber of Commerce, Small Business Development Centers can point you to service providers.
  9. Disposing of old computers and media
  10. Protecting against social engineering

Source: "Small Business Information Security: The Fundamentals." More information can be found at the NIST Computer Security Division homepage.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer

This was first published in September 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.