reviewing my short list of security steps for smbs

Recent news about law firm attacks/hacks has renewed interest in the surprising unsurprising plight of small business, especially in regard to law firms, in recent articles. For instance, should a law firm employing maybe a dozen people have tight security, “just enough” security, or barely any? I think that’s hard to say. Many of these firms are going to be lucky to have a single IT-minded staffer all to themselves or to have software to do their main line of business (e.g. case management software/file storage), let alone to be secure.

So I thought it might be poignant to revisit an old post of mine where I review “5 security steps for small businesses.” Hell, even my “10 security steps for home users” is getting old.

You know you’ve been blogging a while when you can’t remember your own posts, and when you do find them, they’re way older than you thought they were!

So, how do my steps hold up? I’m not even done with this post, and I really think I need to update my list.

1. Backups. Still has to be the first suggestion. Even if you get hacked, you can still keep going if your data is backed up.

2. Network firewall on the Internet link. Gunnar calls this outdated technology (I can’t resist!), but it’s still going to be a necessary line of defense. The “pain” of the lack of this is far removed today than it used to be, though, where households had 1 computer or businesses had just a few systems and they had their balls hanging out on the Internet with public IP addresses passed right on through. In addition, so many attacks right now are coming in through the app layer (and straight on into your precious database) or through email-borne vectors. Old, but still going to be necessary.

3. Desktop Antivirus. No one really puts much weight on this, but you still don’t tell people it’s ok to not use it. If absolutely nothing else, you’re going to be considered negligent if you’re caught without it.

4. Patch Management. Yes, please. More, please.

Wow, I clearly cheated a bit on the next “one.”

5.1. Physical Security. This is usually easy for most people because it’s maybe the easiest to understand, and unless you get serious, is not really technical. If you go beyond a lock system, you won’t roll your own solution but instead talk to security professionals. Why not do the same with the systems? For a law firm, this should include secure waste disposal.

5.2. Inventory/Baselining. I’m not sure I’d keep this, but it does end up being a foundational task for any intermediate or advanced security projects.

5.3. Get Help. I think this should be a necessity on any list. It appears the dramatic #10 on my suggestions for home users, and I think it should bookend every such list.

5.4. Wireless Security. This is still important, but not as gaudy and interesting as it was when retailers were being siphoned off from parking lots. Likewise, today’s “APT” and “organized” online hacktivists aren’t typically performing physical proximity attacks. Yet it’s hard to drop this down too far, lest an SMB leave their wireless pants around their ankles…

I think I will look into that revised list of steps for SMBs…this feels woefully inadequate today, which itself is strange, since things don’t seem to have changed *that* much, have they?. I struck that last part, but wanted to preserve the thought. When you’re looking at security right in front of your nose, it’s hard to see that things really are changing. I like lists and exercises like this, because it allows one to step back and get a different perspective on things, in more than one way. Get back to the roots and fundamental problems/steps, but also empathize with the position of an SMB and their capabilities (or lack of), limitations, and pain points…