10 must-have steps for an effective SMB information security program

No information security program would be complete without these security tips from the NIST, which has compiled advice just as security threats to smaller businesses are on the rise.

The National Institute of Standards and Technology (NIST), a nonregulatory federal agency in the U.S. Department of Commerce, is putting final touches on a guide designed to help small businesses and organizations implement the fundamentals of an effective information security program. The NIST standards should also prove useful for the remote offices of larger companies, where IT staffs are often small or nonexistent and it's important that employees bear more responsibility for information security.

Monday, the U.S. Secret Service underscored the cyber danger to small and medium-sized businesses (SMBs), testifying before the Senate Homeland Security and Government Affairs Committee that cybercriminals are increasingly targeting small and medium-sized businesses that do not update their computer security, according to a story by the Associated Press.

Most of the attacks are waged by overseas criminal groups looking to steal sensitive financial and personal information, said Michael Merritt, assistant director of the Secret Service's office of investigation.

Phil Reitinger, deputy undersecretary of the National Protection and Programs Directorate at the Department of Homeland Security, told the committee that 87% of the breaches could be thwarted by "simple to intermediate" preventative measures.

The NIST guide, "Small Business Information Security: The Fundamentals," is the work of Richard Kissel, a computer scientist at the NIST computer security division. The guide, in draft form but soon to be finalized, does not assume technical expertise -- a decision borne from Kissel's years on the road teaching small businesses owners and executives how to protect their information, systems and networks.

"They had no idea what to do," Kissel said. Members of his audiences -- printers, mechanics, doctors, dentists -- were good at what they did, he said, "but what they did was not IT, and it wasn't information security." More alarming to him was that the NIST seminars, done in conjunction with the FBI and the Small Business Administration, reached an average 1,000 businesses annually, a drop in the bucket of the 25 million SMBs in this country that account for 50% of all new jobs here.

"We thought if maybe we had a document -- just a small, simple, little easy read that tells people how to do this thing called 'protect your information and systems and networks' -- then we could reach more people," Kissel said.

Written in plain terms, the 20-page booklet lays out 10 "absolutely necessary" actions a small business should take to protect its information, systems and networks, and 10 "highly recommended" practices, both listed below. It also includes a short section on contingency and disaster recovery planning, as well as business policies for information security.

And in case someone needs to ask why any of this is important, he also explains that.

Worksheets for prioritizing and protecting an organization's information and for estimating the cost of security breaches and snafus are also included.

Kissel's 10 "absolutely necessary" steps to an effective information security program (consult the pamphlet for how-to's):

  1. Protect information, systems and networks from damage by viruses, spyware and other malicious code.
  2. Provide security for your Internet connection.
  3. Install and activate software firewalls on all your business systems.
  4. Patch your operating systems and applications.
  5. Make backup copies of important business data/information.
  6. Control physical access to your computers and network components.
  7. Secure your wireless access point and networks.
  8. Train your employees in basic security principles.
  9. Require an individual user account for each employee on business computers and business applications.
  10. Limit employee access to data and information, and limit authority to install software.

And here are the 10 security trouble spots where computer users are highly recommended to use caution:

  1. Opening email attachments from unknown senders and responding to emails asking for sensitive information.
  2. Clicking on Web links in emails and instant messages.
  3. Clicking OK on pop-up windows and other hacker tricks.
  4. Doing online business and banking.
  5. Skipping criminal background checks on prospective employees.
  6. Web surfing.
  7. Downloading software.
  8. Not getting expert help when you need it. The Better Business Bureau, Chamber of Commerce, Small Business Development Centers can point you to service providers.
  9. Disposing of old computers and media
  10. Protecting against social engineering

Source: "Small Business Information Security: The Fundamentals." More information can be found at the NIST Computer Security Division homepage.


Let us know what you think about the story; email: Linda Tucci, Senior News Writer


Dig Deeper on

Cloud Computing
Mobile Computing
Data Center
and ESG