“We’re only a small business, we don’t need a formal IT security policy”
AVG (AU/NZ) explores another great security myth of our time
Melbourne, 30 June 2010. AVG (AU/NZ) Pty Ltd suggests some essential steps to protecting small and medium sized businesses (SMBs) from online threats and provides simple guidelines on developing an IT security policy.
Big corporations have large-scale IT deployments that generally encompass desktop and mobile devices. They are more than likely to have a formal IT security policy in place, which has been approved and ratified by their board. Small and medium sized businesses (200 employees and less) on the other hand will very often have no such IT security policy in existence.
Lloyd Borrett, Security Evangelist for AVG (AU/NZ), says: “Now this should be a big surprise to us all, but I’m afraid it’s probably not. What kind of IT security policy are we talking about then?
“Well, it’s really pretty ground level stuff, to be honest. Do all users have guidelines for distribution of inappropriate content? Do all users know when their Anti-Virus, Anti-Spyware and Firewall settings need to be updated? Do all users know what the company policy is regarding the use of personal devices from PDAs and smartphones to USB sticks and media players on company premises with company equipment? Do you have a business-grade security package such as AVG Internet Security Business Edition 9.0 underpinning your commercial interests in the first place?”
In a SMB these fundamentally important security and privacy-related considerations have, more often than not, simply not been fully addressed.
While the previously mentioned aspects of IT are mainly user-focused, the problem is higher level than that. The IT manager (if there even is one!) may be overly reliant on ‘patch’ releases and other updates to cover vulnerabilities before they are exploited. Now even if the company does have some level of web application firewall in place, this on its own is inadequate protection to mitigate the vulnerabilities that exist. So what do these SMBs need to do?
Every company – from a sole trader or a two-person partnership upwards – should lay down an IT security policy. There are many ways in which malware can sneak into your company networks and AVG is here with both the tools and the advice to help you deal with this reality.
Simple staff guidelines for IT security can be found on web pages like AVG’s Seven Pillars of Online Security Wisdom and you can keep your ideas up to date via social media channels. Let’s just add one extra point. If you happen to work from home, you need to secure your home WiFi network too!
A 2008 survey carried out for TechRepublic found that 39 percent of employees purchase their own laptop for work. As the site’s editor in chief Jason Hiner pointed out, this represents a huge problem for IT in terms of security, compliance and customer privacy. “That’s why there’s a push for IT to officially support more of these user-owned devices so that it can verify or set up enterprise-approved security and privacy settings,” wrote Hiner.
Carry these findings back to our SMBs and you’ll most likely see that 39 percent rises to significantly over the 50-percentile mark if not higher. Suddenly the old, “Oh we don’t need anything formal for our IT set up as there’s only fifteen of us,” starts to sound REALLY dangerous doesn’t it?
With any IT security policy, whether it is intended to cover 1000 employees or two, a healthy degree of common sense is also needed – and this is true however formal or relaxed the directives it aims to stipulate are. What this mean is, if some staff are tasked with using Twitter, Facebook or even Second Life as social networking tools for business, then set policies and instructions in place to manage this, but accept that the medium itself is extremely dynamic and somewhat harder to quantify. The social network is here to stay, so it is better to embrace it and put an IT security layer in between it and your company data, than to pretend it’s not there in the first place!
The essential steps to protecting SMBs for online threats can be broken down into three categories:
Security Policy
1. Decide whether computers, laptops and software are to be supplied by your company, or by your staff – and reflect these decisions in your policies, purchasing and processes.
2. Document a simple acceptable-use policy for any computer that is used for company business or media that is used to store or transport company data.
3. Create an acceptable password-strength policy and ensure that all computers and other IT equipment are password protected.
4. Require that all security incidents are promptly reported and managed to a business stakeholder.
Technology
1. Ensure all operating systems (Windows, Mac OS, Linuk etc.), software utilities (Adobe Flash, Adobe Reader/Acrobat, iTunes, QuickTime etc.) and application software are updated with the latest security patches as they are developed – preferably using automatic update technology.
2. Ensure all computers have an up-to-date, business quality security software suite on them.
3. Every computer should have its own firewall software, in addition to any premises-based network firewall you may be running.
4. If managing your own file storage and email servers, ensure these are also running up-to-date, business quality security software.
Process
1. Ensure all staff receive basic online security training and instruction in your policies.
2. Ensure regular backups are taken of all company files, data, email and other systems.
3. Change all passwords regularly, especially when an employee or contractor leaves the company, and in particular change administrator passwords or shared passwords to centralised networks or systems.
4. Take security breaches
seriously – isolate any compromised systems from the network and involve an IT security professional if necessary to ensure the malware is fully removed.
Borrett says, “I want to make one final point to really try and clarify just how passionately we feel about the need for SMBs to adopt an IT security policy and bring in an Anti-Malware protection layer.
“For a small company, the intellectual property assets of the business are arguably even more valuable than those of a large corporation with a large staff skills base and manufacturing plant. With much of that intellectual property held in electronic form, the prospect of data loss or corruption is catastrophic.
“You can leave yourself out in the cold and at risk, or you can opt to properly protect your business.”
It’s a simple choice, so which way are you going to take your business?
About AVG (AU/NZ) Pty Ltd — www.avg.com.au
Based in Melbourne, AVG (AU/NZ) Pty Ltd distributes the AVG range of Anti-Virus and Internet Security products in Australia, New Zealand and the South Pacific. AVG software solutions provide complete real-time protection against the malware, viruses, spam, spyware, adware, worms, Trojans, phishing and exploits used by cyber-criminals, hackers, scammers and identity thieves. AVG protects everything important and personal inside computers — documents, account details and passwords, music, photos and more — all while allowing users to work, bank, shop and play games online in safety.
AVG provides outstanding technical solutions and exceptional value for consumers, small to medium business and enterprise clients. AVG delivers always-on, always up-to-date protection across desktop, and notebook PCs, plus file and e-mail servers in the home and at work in SMBs, corporations, government agencies and educational institutions.