10 must-have steps for an effective SMB information security program

Monday, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security, told the committee that 87% of the breaches could be thwarted by "simple to intermediate" preventative measures.

The NIST guide, "Small Business Information Security: The Fundamentals," is the work of Richard Kissel, a computer scientist at the NIST computer security division. The guide, in draft form but soon to be finalized, does not assume technical expertise -- a decision borne from Kissel's years on the road teaching small businesses owners and executives how to protect their information, systems and networks.

"They ha...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Test your knowledge: IT quizzes for midmarket CIOs Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money At your peril, disaster recovery testing gets short shrift Systems management for the midmarket Windows 7 review: A closer look at this operating system for business What will net neutrality mean for SMBs? Midmarket data center management guides: Tips and best practices Microsoft among ERP vendors increasing built-in vertical functionality How to create and measure success of a SharePoint governance program FAQ: Business process management defined Management tools for virtualized servers: A look at the options Virtual server management vs. physical servers: What's the difference? ERP implementations: In search of ERP best practices Beware of rising server room temperatures

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

d no idea what to do," Kissel said. Members of his audiences -- printers, mechanics, doctors, dentists -- were good at what they did, he said, "but what they did was not IT, and it wasn't information security." More alarming to him was that the NIST seminars, done in conjunction with the FBI and the Small Business Administration, reached an average 1,000 businesses annually, a drop in the bucket of the 25 million SMBs in this country that account for 50% of all new jobs here.

"We thought if maybe we had a document -- just a small, simple, little easy read that tells people how to do this thing called 'protect your information and systems and networks' -- then we could reach more people," Kissel said.

Written in plain terms, the 20-page booklet lays out 10 "absolutely necessary" actions a small business should take to protect its information, systems and networks, and 10 "highly recommended" practices, both listed below. It also includes a short section on contingency and disaster recovery planning, as well as business policies for information security.

And in case someone needs to ask why any of this is important, he also explains that.

Worksheets for prioritizing and protecting an organization's information and for estimating the cost of security breaches and snafus are also included.

Kissel's 10 "absolutely necessary" steps to an effective information security program (consult the pamphlet for how-to's):

1. Protect information, systems and networks from damage by viruses, spyware and other malicious code.
2. Provide security for your Internet connection.
3. Install and activate software firewalls on all your business systems.
4. Patch your operating systems and applications.
5. Make backup copies of important business data/information.
6. Control physical access to your computers and network components.
7. Secure your wireless access point and networks.
8. Train your employees in basic security principles.
9. Require an individual user account for each employee on business computers and business applications.
10. Limit employee access to data and information, and limit authority to install software.

And here are the 10 security trouble spots where computer users are highly recommended to use caution:

1. Opening email attachments from unknown senders and responding to emails asking for sensitive information.
2. Clicking on Web links in emails and instant messages.
3. Clicking OK on pop-up windows and other hacker tricks.
4. Doing online business and banking.
5. Skipping criminal background checks on prospective employees.
6. Web surfing.
7. Downloading software.
8. Not getting expert help when you need it. The Better Business Bureau, Chamber of Commerce, Small Business Development Centers can point you to service providers.
9. Disposing of old computers and media
10. Protecting against social engineering

Source: "Small Business Information Security: The Fundamentals." More information can be found at the NIST Computer Security Division homepage.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer