This is an answer to my favorite age-old anti-security argument, “we don’t need security, we’re too small to be a target.” Really? Who is more likely to be a target? Is it the big guy walking down Main Street with four armed guards flanking him on each side, or the little guy walking down a poorly lit alley whistling loudly so it seems like he’s not really scared? The answer as always depends on the motivation of the attacker. If the attacker is looking to send a message or get some publicity, then the big guy is the right target. If, however, the attackers are just looking to steal money or identities and draw little attention then the little guy is the right target. On to the original question: are little guys targets? Absolutely.
The problem with the little guys thinking they’re not targets is that they often don’t have anything in place to tell them if they’ve been attacked or breached in the first place. This is the old head in the sand approach and just is not a good idea. You wouldn’t go months without reviewing your bank statements would you? Then why is it the systems that your money runs through (your business’s computer network) does not deserve the same attention and respect? There is too much neglect of best practices in small businesses and at some point it is going to hurt your small business. You have data that bad guys want, the problem is you don’t know what or where that data is. It’s okay to know you don’t know something; it is not okay to remain ignorant after you have been informed.
I’ve put together a little list, more like an outline, of things you can do to help better secure your business without bankrupting you. Hopefully it gives you a good idea of where to start and shows that it’s not terribly difficult to achieve some sense of understanding about your systems and the data they move around.
1) Be aware! There are countless news feeds and portals out there that can help keep you aware of what’s going on in the bad guy world. You don’t have to become an expert but you should have a sense of what sort of evil is lurking out there.
2) Use Open Source or so-called Free Software. There is a ton of it out there, it’s not as complicated as it sounds and it won’t take a monster-sized bite out of your budget. Some of it can be a little obtuse, but there are some great tutorials out there and if you get stuck you can always find someone who can help. (Full disclosure: My company does this sort of work so of course I think it’s a great idea.)
3) Build a security strategy. Figure out what kind of stuff (computers, data, people) you want to secure and then build a strategy around that. If you don’t know what you have then you can’t possibly secure it properly.
4) Build a culture of caring. You need folks who, while not necessarily security experts, understand the need for and appreciate the efforts required to secure systems and people.
5) Secure your people too. You have read this sentiment over and over, but yes people need to be secured too. A lot of attackers would rather go after people (it’s called social engineering) than systems because typically people are more trusting and more willing to give out confidential information.
Bonus: While securing your people, make them aware of social media security issues. This is an important part of any security strategy, especially if you’re using social media for marketing already. Knowing what to say and what not to say is crucial.
This is not to say that security is not hard; it actually is quite difficult to be 100 percent completely secure (many would argue it is not even possible), but the idea is not to be 100 percent completely secure. The idea is to have in place processes and tools to prevent as much as you can while understanding what to do if something bad does happen. Once you’ve figured out that it is not insurmountable you will be wondering why you didn’t start sooner. The hardest part though is getting started — it always is.
Bill Mathews is Lead Geek at Hurricane Labs, an IT security services firm founded in 2004. He has nearly 20 years experience in IT, 13 of that in information security, and has been interested in security ever since C3P0 told R2 to never trust a strange computer. He can be reached at @billford or @hurricanelabs on Twitter, and other musings can be read on http://blog.hurricanelabs.com.