Most small businesses disregard security as a critical IT factor until they get hacked or have a major security breach. It’s understandable — security is expensive and SMBs don’t have the unlimited budgets of larger corporations. That doesn’t mean you should skimp on your data protection during your business’ infancy. The alternative is a loss in data, bad PR, and a reduction in customer trust. If your company doesn’t already have one, a security policy improves customer privacy and protects from cyber threats.

Audit Your Network

Before you can assess risk, you need to audit your network. You need to account for every machine, user account, mobile device, router, and server. Every IT-associated asset should be accounted for. Don’t assume that any standalone device is “hacker proof.” If it connects to the network, either through wireless or wired connections, it should be a part of your audit.

Your audit should also identify the software running on each device, including the operating system, third-party applications, and any tools that run in the background. With routers and switches, take note of the device’s firmware. Old firmware is sometimes a security risk. This is especially important for routers that act as a firewall between the Internet and the local network.

Perform Risk Assessment

Risk assessment is a long, time-consuming process that takes an expert. If you aren’t an expert in security, you should hire someone. This doesn’t mean that you can’t perform an initial risk assessment as a non-technical person, but you must understand networking basics. You should understand where the network is vulnerable and which systems could possibly be used as malware vectors.

Each device that connects to the network is a risk. Mobile devices are even more of a risk, because they are typically personal devices and don’t have any malware monitors running in the background. Hackers actually target mobile devices more than local desktops, because desktops have corporate antivirus software that blocks most attacks.

Your risk assessment should include several items on the network. First, include a list of operating systems for each machine and the latest patches associated with each one. Identify any machines that don’t have antivirus installed. You also want to include points of risk such as publicly accessible wireless routers, third-party cloud applications and any unapplied updates to these systems. For your network hardware, make a list of old firmware on routers and switches. If you have remote employees who work from home, take note of shared network drives where users store files, VPN access points, personal laptops brought into the office, and any other routes that lead to critical areas of the network.

Authentication and Authorization

Your policy should start with identifying roles for each of your users. Your users are grouped into authorization roles. For instance, executives have one role and customer service reps have another. Both of these roles need different levels of access to specific files and folders. You group your users into these roles and give them specific security access to areas of the network.

Authentication requires users to log in before they can access any area of the network. Authentication credentials include a username and password, and your security policy should include a standard for logins, as well as a password complexity and length policy.

Add a BYOD Policy

Bring-your-own-device (BYOD) is a new standard that gives flexibility to employees. Employees can use personal devices including desktops, tablets and smartphones on your network. They can connect through VPN or using a wireless hotspot onsite. Whatever type of access you give employees should be monitored.

If you provide the devices, you have more control over applications. However, most corporations allow personal devices to connect remotely. You should carefully segment wireless access from critical applications, especially if you have public Wi-Fi for guests. Put passwords on your wireless connections and run intrusion detection software to monitor connections. New software on the market called MDM (mobile device management) scans the network for any mobile devices and identifies them. Use this software to identify any malicious or unauthorized device connections.

Disaster Recovery Plans

While disaster recovery plans are usually separate documents, they are still a part of the overall security policy. Disaster recovery goes into effect when a hacker penetrates the system. Disaster recovery plans include backups, security of those backups, and the physical location of these files. For instance, what if a tornado causes a flood to the physical property? Your disaster recovery plan should include backups stored off-site.

When you work with disaster recovery plans, they should include your database, database files, software used for production, critical user and system files, and some security experts go so far as to take complete images of servers and workstations. An image is a snapshot of the hard drive. After a hardware crash, install the image to a new machine and a user or server is back up within minutes. Hard drive images save hours of time for system administrators that need to reinstall software after a crash.

Train Employees

Security is a group effort. All employees, managers, executives and owners should abide by the security policy. Many people don’t realize that installing random software onto a system creates a security risk for the business. For this reason, corporate staff must be trained. Train your staff on best practices, educate them on the way hackers work, and help them understand why mobile devices can cause a threat to the system.

Security policies take weeks to complete. The risk assessment and audits alone are most of the time. Once you’ve assessed risks, you’ll be surprised at the number of vulnerabilities that exist on the network. Security policies created early in a business life cycle reduces the chance of a major, avoidable cyber threat in the future.

Photo courtesy of Steve Wilson on Flickr