Manage Learn to apply best practices and optimize your operations.

10 must-have steps for an effective SMB information security program

No information security program would be complete without these security tips from the NIST, which has compiled advice just as security threats to smaller businesses are on the rise.

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department...

of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.

Monday, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security, told the committee that 87% of the breaches could be thwarted by "simple to intermediate" preventative measures.

The NIST guide, "Small Business Information Security: The Fundamentals," is the work of Richard Kissel, a computer scientist at the NIST computer security division. The guide, in draft form but soon to be finalized, does not assume technical expertise -- a decision borne from Kissel's years on the road teaching small businesses owners and executives how to protect their information, systems and networks.

"They had no idea what to do," Kissel said. Members of his audiences -- printers, mechanics, doctors, dentists -- were good at what they did, he said, "but what they did was not IT, and it wasn't information security." More alarming to him was that the NIST seminars, done in conjunction with the FBI and the Small Business Administration, reached an average 1,000 businesses annually, a drop in the bucket of the 25 million SMBs in this country that account for 50% of all new jobs here.

"We thought if maybe we had a document -- just a small, simple, little easy read that tells people how to do this thing called 'protect your information and systems and networks' -- then we could reach more people," Kissel said.

Written in plain terms, the 20-page booklet lays out 10 "absolutely necessary" actions a small business should take to protect its information, systems and networks, and 10 "highly recommended" practices, both listed below. It also includes a short section on contingency and disaster recovery planning, as well as business policies for information security.

And in case someone needs to ask why any of this is important, he also explains that.

Worksheets for prioritizing and protecting an organization's information and for estimating the cost of security breaches and snafus are also included.

Kissel's 10 "absolutely necessary" steps to an effective information security program (consult the pamphlet for how-to's):

  1. Protect information, systems and networks from damage by viruses, spyware and other malicious code.
  2. Provide security for your Internet connection.
  3. Install and activate software firewalls on all your business systems.
  4. Patch your operating systems and applications.
  5. Make backup copies of important business data/information.
  6. Control physical access to your computers and network components.
  7. Secure your wireless access point and networks.
  8. Train your employees in basic security principles.
  9. Require an individual user account for each employee on business computers and business applications.
  10. Limit employee access to data and information, and limit authority to install software.

And here are the 10 security trouble spots where computer users are highly recommended to use caution:

  1. Opening email attachments from unknown senders and responding to emails asking for sensitive information.
  2. Clicking on Web links in emails and instant messages.
  3. Clicking OK on pop-up windows and other hacker tricks.
  4. Doing online business and banking.
  5. Skipping criminal background checks on prospective employees.
  6. Web surfing.
  7. Downloading software.
  8. Not getting expert help when you need it. The Better Business Bureau, Chamber of Commerce, Small Business Development Centers can point you to service providers.
  9. Disposing of old computers and media
  10. Protecting against social engineering

Source: "Small Business Information Security: The Fundamentals." More information can be found at the NIST Computer Security Division homepage.

 

Let us know what you think about the story; email: Linda Tucci, Senior News Writer


 

This was last published in September 2009

Dig Deeper on Small-business IT strategy

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

web content management document management records management digital asset management learning management systems learning content management systems collaboration enterprise search Information management including the structure of information metadata, content quality, and more.
Cancel
To develop a security framework that could be used as a guide to secure the country’s cyber infrastructure for basic vital services such as banking, transportation and telecommunications can use the framework as the guideline for measuring how well they have secured their systems
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close