Getting Started with SOHO / SMB Computer Security

This is my first  post dedicated to the SMB/SOHO owner and IT staff trying to understand, implement, and manage computer security. All related posts will be in the SMB/SOHO Computer Security category on this site. If you like it, subscribe to my blog and come back for future articles.

Computer security probably isn’t the most important thing on the mind of most small business owners, and I honestly can’t say that it should be. Most of you accept so much risk simply by being in business. You’ve leveraged many if not all of your financial assets, your cash flow may be erratic, and you’re operating in the worst economic environment in 70 years.

What’s computer security compared to that? It’s one more thing that can sink you and put you out of business. At least it’s something that you have some control over, unlike some other things in you business. So why not put a little effort into reducing your overall risk?

Computer Security Doesn’t Have to Be Complicated or Expensive

Block out 15 minutes, grab a beverage of your choice, sit down and think about the following:

• What are the regulatory and compliance requirements with which you are you required to comply? If you don’t know, then you’ll need some help to find out. UCF has a great tool to help, but if you’re not comfortable with that, consider talking to a computer security expert or managed service provider for help. I believe this is money well spent because this step helps determine what you must do to avoid fines, penalties, legal fees, jail time, or going out of business.
• Where is your important business and financial data stored? Is it on your laptop? How about on Dropbox? Is it on USB thumb drives? Is it backed up onsite or with a vendor like IronMountain? Do you or your employees email it home or elsewhere? Do you know where your data is?
• Is your data encrypted? Portable devices are easily misplaced, lost or stolen. If they are encrypted using a good password, then getting data from them is more difficult for the bad guys. You can encrypt these devices for little to no cost, so there is no reason to risk losing your data and suffering the consequences that come with that.
• Who has access to your data? Did you change passwords when your employees or partners left? How about your IT staff – do they have administrative rights? That gives them rights to see all of your data. Managing this is free. It takes time, and means you need to have processes for on-boarding and exiting, but those save time anyway.
• Do you allow remote access to your computer devices and data? How do you secure this access? Do you use a VPN connection or just (at least) a password? Who is allowed access? You should protect your remote access with a VPN and should limit who has access by managing user accounts. This is the minimum you should do, otherwise anyone in the world can attempt to access your devices and data. Again, I believe money spent here is worth every cent, and it doesn’t have to cost much. This SSL VPN from NETGEAR is less than $400.

What’s Next

This was an ice breaker to get you thinking about your required computer security steps, where your sensitive company data is stored, and who has access to it. You probably don’t know the answers to all of these questions, but that was the point of the exercise. You are not alone. Most businesses don’t know the answers to all of these questions, which is why day after day, there are stories of companies being hacked, and sensitive personal or financial data are stolen.

In future articles, we’ll talk more about specific steps you can take to improve your computer security. In the meantime, leave a comment, or chat with me on Twitter.

Tagged as: computer security, GRC, infosec, smb computer security, soho computer security