Small Business Computer Security

If I may ask, does your company have a dedicated Information Security (IS) department? In other words, what is the size of your company or simply put this way, what is the size of your information security budget?

Small Business Computer Security - what is it all about?

It must be said that the concern about computer security with respect to small businesses came with advent of microcomputer coupled with the discovery of networked computing and the internet and the World Wide Web. The reason being that only the big companies and infact, only the multinationals used to have the financial ability to invest in information systems (mainframe)in the 60/70's. But with the advent of micro-computers, the reduction in price coupled with new technologies like in that of telecomunication, the terrain has changed.

Every business, whether big or small needs information for the day-to-day running of the entity.

A Small Business Computer Security

What is the size of a business to be regarded as small as used in this write up?

A small business in this case is an organisation employing not more than fifty employees and turnover of not more than $100m.

Why talking about small business computer security?

Attacks on corporate information systems by hackers, viruses, worms and the occasional disgruntled employees are increasing dramatically regardless of whether it is a big company or small company. Though it is on record that big companies attract more hackers than small companies. On the other hand, big companies, by virture of their size also have more resources devoted to computer security than small companies.

Big, multinational companies have full fledged IS department while small companies might not be able to afford the services of a full time CSO hence, IT personnel could double as the IT resource for the company and at the time the ISO.

Since technology is not a preserve of big companies, then small companies should adopt the right strategy with good policy that will support a mix of technology in order to take advantage of up-to-date technology including the internet while minimising the risk that goes with it.

Some useful tips for small companies in addressing inherent computer risks

1) Small companies are advised to acquire a well known and tested technology that will still be within their reach in terms of cost. This is much better than buying an unknown or untested software mainly due to its low cost. In the case of tested software, if there is any vulnerabilities, it would have been known and vendor solutions (patches) would have been provided to correct them.

2) Small companies, where applicable, should consider outsourcing critical IT technology which could require a high level of expertise which may be out of the reach of small companies.

3) Management must put in place Information Security Policy that will guarantee adequate protection of the Information Security co mputer assets and resources upon which are kept.

4) There must be a designated ISO who may also be from the IT department.

5) There must be proper Information Security Awareness Training at least once a year and circulation of best practice on any issue as they arise. The awareness training could also be included as part of any programme that requires the coming together of employeees provided it could be combined and not totally at variance with the main programme.

6) The following controls must also be put in place:

i) Adequate password protection to all computers and computer resources e.g files.

ii) Appropriate screen savers must be encouraged in order to prevent people from viewing the corporate information on the computer when left unattended to.

iii) Remote access must be properly controlled. It must only be given to people where it becomes necessary for the discharge of their job.

iv) Virus protection – Adequate anti-virus software must be installed on every computer on the network. This must be constantly updated.

v) System vulnerabilities – Keep operating systems and application system patched.

vi) Change default settings and password on all computers. This is a common mistake by many users especially small companies.

vii) Install firewall software package on all computers where critical information is kept. There are some firewall software that could meet the need of small companies. Please, note that the information asset that you want to protect will determine what type of firewall software to buy.

viii) Install an Intrusion Detection System on critical applications.

ix) Make regular back up of computer files and keep them in an off sight location that is safe. The off site location might not be owned by the company as this may be beyond what a small company could afford. There are third party companies that render such services which will only attract small fee.

x) All unused network services should be disconnected.

xi) It is recommended that when not in use, computer connected to the internet should be disconnected.

xii) Avoid an untested free software.

xiii) You can also buy smart.

In summary, implementing the above controls could be a veritable tool in the hand of any organisation especially when we are talking about a small business computer security.