Have you ever heard or read about an information security breach in Small or Medium Sized Enterprises (SMEs)? Probably not. Does this mean they are immune to breaches? Definitely not. In fact, SMEs are the most attractive targets for cyber criminals. They are considered to be low hanging fruits. Primarily because they leave their doors unlocked thinking that they would be of no interest to cyber criminals. To save money they end up exposing themselves to the risk of higher payouts or worse bankruptcy.
I agree that SMEs might lack the expertise required to implement a risk-based cyber security approach. However, SMEs too can become cyber resilient with a little awareness, minimalistic investment in security controls and support from the senior management. Here’s how:
- Create an asset register: An asset register is basically an excel sheet that lists the hardware and software assets that are currently owned by the company. It can be created for a company of any size without any investment. It’s not a one time activity though. Asset registers must be kept up to date.
- Get rid of pirated software: Once an asset register is available, it becomes easy to keep track of software licences. Should a company finds itself running primarily on pirated software, it must either invest in obtaining a legitimate license or consider switching to open source software. Besides being a copyright infringement, an additional risk of running pirated software is that it may contain malware. Depending on the strategy chosen this may require some investment.
- Install Internet Security Software: Though operating a centrally managed endpoint protection solution might be easier but it could get expensive, especially for companies with less than 50 employees. Alternatively, companies can invest in Internet Security software. They are relatively cheap. They come with inbuilt firewall and website filtering capabilities. They have the capability to auto-update themselves with latest virus signatures for effective protection.
- Update and Install Patches: Most software ship with built in auto-update feature. Turn it on and forget about it.
- Disable/Remove removable media terminals: If the work is such that employees do not require the use of USB drives or CD/DVDs, then these terminals must either be removed physically or disabled through appropriate mechanisms. However, if their use is required, companies can issue the media as and when needed. Any such media issued must be encrypted. Free disk encryption software are available for this purpose.
- Create a Standard Operating Image: A Standard Operating Image (SOI) is an image of the operating system that contains only those software that are required by employees to perform their job functions. This reduces the exposure arising from vulnerabilities in unnecessary utilities. Any deviation from SOI must be recorded with appropriate justification.
- Disable Administrator Accounts: If Microsoft Active Directory is not an option then companies can create non-admin accounts for employees on the systems assigned to them. Passwords to admin accounts must not be shared under any circumstance.
- Frequent Backups: Though the frequency of backups depends on the nature of work a company is involved in but it must be done at least once a week.
- Create Policies: Once basic security controls are in place, companies must create certain policies like Information Security Policy, Acceptable Usage Policy etc. A policy helps in communicating and establishing the management’s intent and objectives behind implementing security controls.
- Create Awareness: Unfortunately, humans are considered to be the weakest links when it comes to information security. Conduct regular training and awareness sessions for employees. Highlight the importance of controls implemented and policies framed in the previous steps. Teach them about various cyber attacks such as phishing, spear phishing, social engineering etc.
Implementing information security controls is not a child’s play. It requires company-wide commitment with a strong support form the senior management. The above mentioned steps will certainly help SMEs in defending themselves but they are by no means the only steps. As threats continue to evolve, SMEs too will have to upgrade their armor.
Uday Mittal is a cybersecurity professional with rich working experience working with various industries including telecom, publishing, consulting and finance. He holds internationally recognized certifications such as CRTP, OSCE, OSCP, CISSP, CISA, CISM, CRISC among others. He speaks on cybersecurity awareness, offensive security research etc. and has authored various articles on topics related to cyber security and software development for a leading magazine on open source software.