News Stay informed about the latest enterprise technology news and product updates.

Upfront and secure is Job One for SMBs

Information security threats and vulnerabilities can affect businesses of any size. recently featured security expert Kevin Beaver in a webcast titled "Top Security Vulnerabilities for SMBs." Here are Kevin's answers to your questions on a variety of security topics, from security assessment and password protection, to all-in-one security policies.

Is it OK to use boilerplate security policies that I can download off the Internet?

No. It's OK to download policies, but you've got to apply them to your unique situation. The ones you download may be too strict or not strict enough. The best way to determine which policies you need and how they should be tuned is to perform an information risk assessment. That is, look at the technical and procedural issues surrounding your information systems, determine where your weaknesses are and then develop policies to help turn those weaknesses around. Do you recommend all-in-on security appliances over standalone firewalls, content filtering and antivirus systems?
All-in-one systems are great, especially for smaller organizations. They're often easier to set up and manage. Just remember that they're a single point of failure, so be sure to have a contingency plan in place in case something goes wrong. Based on how dependent your organization is on computers and the Internet, a contingency plan for one of these systems could be as simple as having a next day replacement warranty. Just remember to back up your system configuration so you can restore it quickly to the new system when you receive it.

You've got to find a good balance between security, convenience and usability.
Otherwise, you'll be
public enemy No. 1.

Kevin Beaver
Principal ConsultantPrinciple Logic LLC
How often should I test my 30-node network for security vulnerabilities?
It depends how critical the information is you're trying to protect and how dependent your organization is on the information. If -- and only if -- you regularly keep up with patches, I would suggest an initial test to get a baseline of where you stand and then consider testing for technical vulnerabilities once a quarter or even twice a year. Every situation is different, but this is a general guideline. I've tried locking down my systems, but it only seems to backfire -- users complain about things such as having to remember too many passwords and it takes too long to access shared files on the network. Is there a way to find a balance so I can secure our systems and they can get their work done at the same time?
One of the biggest complaints I hear from end users is that the 'IT department has locked down everything to the point of extreme inconvenience.' Here are some examples: blocking all e-mail attachments, forcing 12-character passwords that must be changed every 30 or 60 days, requiring users to log in two or three times and browsing the network for five minutes just so they can access their home directories.

ll of these things are often seen as legitimate security measures; you've just got to be careful. It all depends on your organization -- the culture, upper management's support for information security, end user awareness and more. You've got to find a good balance between security, convenience and usability. Otherwise, you'll be public enemy No. 1 -- and that's not what you're there for. If you feel the need to lock things down to the point of user aggravation, make sure you have upper management's OK and support first. The bottom line is that you need to keep security as transparent to the end user as possible.

Can my wireless network really be made secure?
Sure, I believe so. There are a ton of hardening techniques, most of which are very simple to implement. I cover a lot of these in another webcast you can find on called 'Doing wireless LANs the right way.' I know has some good stuff on this. Also stay tuned to for more contributions from me related to wireless networks.

The neat thing is, there are some good vendor solutions emerging that can help with hardening your wireless systems and help implement the new 802.11i security standard for wireless LANs, so you don't have to worry about the technical issues as much. If you're not 100% sure how secure your airwaves are, it would be beneficial to have someone come in and assess your wireless security to make sure everything is locked down.

What will it take to get my users to create strong passwords and not write them down and leave them laying around their desks?
I think for smaller organizations, desktop versions of PGP and S/MIME are manageable and reasonable. I don't recommend going with an all-out PKI solution unless you're willing to spend the time, effort or money to implement and manage it or bring someone in to do it for you. Another good option is to install an e-mail firewall that supports SSL and TLS and performs encryption at the network perimeter. This takes encryption and other security responsibilities away from end users and can make e-mail security administration a lot easier. You'll just have to determine whether they are worth the price.

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.