Seven Practical Steps for Small & Mid-Sized Business
to Improve IT Security

Ensure anti-virus, anti-malware software and other security software is running on all your workstations, laptops and servers; and keep the software up to date. As vulnerabilities are identified, regular patches by software providers are released to maintain security.

Monitoring needs to happen at workstation, server and network levels. Your workstation and server security software can be configured to carry out regular scans so vulnerabilities are eliminated.

Network monitoring software/services are available and offer many benefits. This includes intrusion detection systems that alert administrators if there appears to be policy violations or malicious activities so corrective action can be taken. Scans can also identify if machines are not active or communicating with the network to identify problems and/or just shut off resources used by inactive devices.

Business class IT equipment is designed with higher security standards (e.g., encryption, designed with monitoring mind). Inventory your IT equipment. Some equipment posing security threats may be inexpensive to replace (e.g., routers, firewalls, spam filters, wireless, switches) Identify these opportunities and act right away. Going forward commit to only buying business class equipment and ensure you budget accordingly.

A penetration test is like a fire drill. It is an internally scheduled activity that attempts to perform an intrusion into your network or applications. If you have never carried one out, get started. Then make penetration testing a routine activity for your company.

Mobile device management (MDM) is important to address as more companies encourage or move to BYOD (bring your own device) policies. This requires implementation of usage policies (e.g., lost device, restrictions on applications that can be used) and use of technology to handle issues that arise (e.g., enabling remote swiping of data, restricting alteration of settings). Read more about how MDM services can benefit your business.

Implementing policies and procedures reduces IT security risks. Basic changes to consider include:

• • Limit access to sensitive information
  • Reduce IT support and training costs: Poorly performing software programs require added IT support, time and effort to train your staff to use. If you pay fees to software providers or use a 3rd party IT provider to handle support calls and/or work with staff to help them understand the software; these “hidden” costs are chewing into your bottom line.
  • Require more rigorous passwords (don’t make them too onerous lest you witness the proverbial “password sticky note” on your employee’s monitor…)
  • Restrictions on use of certain applications and downloads
  • Acceptable use of mobile devices for work activities (MDM)

Arming employees with awareness of security issues and how to mitigate risks is the most effective methods to reduce IT risk without spending a cent on hardware or software. Key topics to educate them on include:

• • How to take fewer risks with company data and email at work, home and on the road
  • Risks of social media
  • Recognizing spam/phishing email and other dangerous applications and how this can reduce financial and data loss
  • Social engineering tactics by hackers (i.e., hackers who request login info or other sensitive data posing as someone in IT, via email, a phone call or other means)
  • Review of IT policies (removable media, passwords, downloads, etc.)