All you have to do is look at the headlines of any tech magazine to see that large companies have trouble securing their networks, not to mention keeping them available. How much more difficult must it be for SMBs who have little to no IT staff, and the staff they do have is typically inexperienced, poorly trained, and lack technical mentoring?
For once the government really is here to help. NIST has published a draft of a publication titled, Small Business Information Security: The Fundamentals The publication is short (20 pages) and includes 10 steps that are “absolutely necessary” to take, 10 steps that are “highly recommended” and even a little bit about contingency and disaster recovery planning.
Here are some topics included in the publication:
- Protect your systems / networks from damage by viruses
- Secure your Internet connection
- Patch your operating systems and applications
- Secure your wireless access points
- Hiring practices
- How to dispose of old computers and media
- Contingency and Disaster Recovery planning
- Cost-Avoidance considerations in information security
The publication also includes 3 appendices that help the SMB get started:
- Identifying and prioritizing your organization’s information types
- Identifying the protection needed by your organization’s priority information types
- Estimated costs from bad things happening to your important business information
What Do You Think?
I know this is a topic near and dear to some of us in the industry including @jack_daniel. Have you read the draft? Do you think it will help SMBs? What more can we in the industry do to help SMBs?
If you are a SMB do you think this publication helps? What do you think the security industry can do to help you?
Leave a comment and let me know what we can do to help.
{ 2 comments… read them below or add one }
NIST’s effort is cerainly a good step forward. I also think industry should take initiatives to educate SMB customers in things like; what it costs if they are compromised? what it takes to be secure? most will be surprised to find it doesn’t cost much. For example we can do things like webcasts, podcasts, provide assessment assistance, etc focussed on answering these kind of issues.
I personally have experiences dealing with small companies who have no idea what will happen if they don’t patch, run updated a/v, firewall their network, etc…and have offered free advice.
Thanks for sharing your ideas Ramki. I agree with you on all points, especially making the business case for security. Something like 80% of SMBs that experience a disaster go out of business. I don’t know what the statistics are for SMBs that suffer some sort of breach or data loss, but I’m sure it’s more risk than SMBs are willing to take on.
I want to spend more time and effort helping SMBs, and I hope we can work on it together.