Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

MessageLabs security guidance for small firms

by
20th May 2010
Save content
Have you found this content useful? Use the button above to save it to your profile.

MessageLabs, part of the Symantec information security organisation, has launched a whitepaper series to set out the priorities for smaller businesses.

Smaller organisations don’t have the resources to implement the full pantheon of security measures and often find it hard to know where to draw the line. Part 1 of MessageLabs Security Essentials suggests a minimum baseline for security controls that all organisations should apply offers advice on how to build from there to match IT security to the business’s needs.

“Managing security risk is about drawing the line in a sensible place,” writes security risk consultant John Leach. “It is about doing enough not to leave the organisation wide open, but not so much that money and effort is being spent on things that give only a small return.”

Industry research has identified six dangers that SMBs most need to guard against:

  • Accidental systems failure
  • Malware
  • Malicious web sites
  • Untargeted attacks by outsiders
  • Rogue employees (including those just about to leave the organisation who want to take some
  • useful data with them)
  • Careless or inattentive employees

To counteract these threads, Leach sets out the following checklist of essential security controls that every organisation should use:

Back-ups
As well as keeping a spare or two of any equipment that is truly essential, back-up your essential systems and data. Keep a spare, ready configured computer offsite and regularly test that you can restore data. See also: Focus on disaster recovery and business continuity planning

Anti-spam
Spam is a primary carrier of malware, so filtering is essential to prevent obvious malware reaching in-trays.Also see: 10 tips to avoid spam

Anti-virus
Anti-virus software should run in tandem anti-spam to pick up and deal with malware that slips through the net. Take AV protection seriously buy using either a hosted service or a well known commercial product. “Do not settle for some freebie product off the back of a cereal packet,” says MessageLabs. Also see: Tackling viruses and spam

Firewalls
Use a commercial-grade firewall at the perimeter of your office network along with the firewall within your software operating system. For more details, see The firewall

User authentication and access controls
Sensible passwords will stop most unauthorised use of machines or accounts. MessageLabs also advises logging access to shared systems in case you need to investigate a proble. See also: Training, Acceptable Use Policies and Legislation

Logging outbound data flows
Look through the outbound data logs periodically just in case they are recording something amiss. “Without making a big deal of it, make sure staff know accesses [and data flows] are being logged.” Small business computers are being co-opted through malware into spam “botnets”. Larger than normal outbound data volumes can give you an indication, but also ask your ISP to you if any spam is detected coming from your IP addresses.

Patching
Apply all patches on a regular monthly cycle. Ensure that applications (office and business systems), not just operating systems, get patched. SMBs, just as much as large organisations, need to keep track of vulnerabilities as they get discovered and of patches as they are released.

Scans
Scan your systems periodically (say, every three months) for vulnerabilities and unauthorised software. Fix the vulnerabilities you find. Find out how and why any unexpected software got there, or better still, block employees installing it.

Build a security culture
Try to get staff to think of security much as they do Health and Safety. They need to apply common  sense in all the day-to-day situations that arise just as the organisation needs to develop the right policies and solutions. Make security a team thing, something everybody does to help and protect everybody else who works there. Make security a routine topic of interest rather than something that is never mentioned.

Acceptable Use Policy
An AUP (Acceptable Use Policy) is as important for managing the organisation’s liability as it is for security. Point out to staff that when they are using the organisation’s computers, they really do need to stay alert and be careful – for example by not following suspect links or opening attachments on emails. Those with access to the organisation’s financial account information need to be especially careful.

MessageLabs suggests putting all of these basic security measures in place and once they’ve been running for a while, working through the list again to check everything is being done the way it should be. Subsequent parts of the Security Essentials series explain how to devise a security profile to help the organisation strengthen its controls appropriately.

Also see:
AccountingWEB IT security page
Information security expert guides

Tags:

Replies (0)

Please login or register to join the discussion.

There are currently no replies, be the first to post a reply.