Small and Medium Business Security Strategies, Part 1: Introduction

Jordan Drysdale//

Blurb: A few of us have discussed the stress that small and medium business proprietors and operators feel these days. We want to help stress you out even more. Not really, but if you aren’t worrying about IT security, you are probably doing it wrong. This series will run through some of the important controls that IT pros have mapped out for us. We are trying to present these in a way that you can accomplish them without dedicated IT staff.

We’re all facing a fairly challenging landscape; hackers seemingly making shambles of enterprise network defenses, nation-state actors stealing secrets from each other, and the constant concerns we have about our data privacy. How in the world is a small business expected to defend itself against a nation-state? What about a rogue employee?

Most of us at BHIS have spent time as the front line defenders of networks of various sizes. Defending small networks will boil down to a few steps – really just the first five critical controls to get started. There is a lot of technical lingo and information about the Critical Controls here.

Getting your organization headed in the right direction requires starting a conversation with your staff. Once this conversation is started, you need to keep it going. The human element of IT security is left off the critical controls checklists and should be first. Secure firms understand Information Security and how it pertains to each employee. Each individual feels responsible.

The five basic controls to get your network to a basic level of security look like this:

  1. Hardware Inventory
  2. Software Inventory
  3. Secure Configurations   # This may be the most difficult step
  4. Vulnerability Assessment and Remediation
  5. Limiting Admin Privilege

This look is to be expected at this point. You might be asking something along these lines: What are secure configurations? How can I possibly understand “Limited Admin Privilege?” Seriously, what is vulnerability assessment and remediation? We are going to start slow, set realistic goals and will work together to get your network under control.

So where to from here? No one has time, no one wants extra duties and everyone has to step in and participate. Based on experience, most offices, businesses, schools, et cetera have someone around who knows about computers. This person is usually the go-to resource for broken printers, blue screened workstations and internet outages. This person is an asset and should serve as a guide for this process. They can answer questions and will definitely know what a modem, switch and router look like.

Next up in the series: Part Two, inventory. Let’s put together a list of systems, network gear and the people responsible for them.