Thursday, 20 October 2011

Running a Security Program without a Budget

I've been thinking more and more about small businesses and security recently.   Most small businesses don't have the budget to run their own security program.   These organizations, that employ many, many people, are often left vulnerable.   Larger organizations have the budget to fund a security program, while most small businesses don't.

I've pointed out before that most small businesses don't have an information security program.

I spotted a great article earlier today that dealt with the concept of security below the poverty line, and it contained both a podcast, and a link to a research paper published by the 451 Group.   I'm not going to link directly to the research, as the 451 group decided to make it available for free through The Ashimmy Blog, and not through my site.  Credit where credit is due.

As a small business owner, what 4 steps can you take to drastically improve your security?

  1. Introduce an acceptable use policy.  Let your employees know what is, and what isn't acceptable.  Teach them what to watch for, and why, and who to advise when something looks wrong.

  2. Implement forensic accountability.  Do away with shared passwords and shared accounts.  You want to make sure that should something go wrong, you can determine who did what.

  3. Purchase legitamate software.  Downloading pirated software can often introduce backdoors and other malware into your system that your anti-virus won't detect.

  4. Maintain physical security.  Make sure that no one can just walk into your office, pick something up (or drop something off) and walk out.