U.S. Gov Small Business Guide to Security
The US government publishes a Small Business Guide to Security. You can download it at http://www.us-cert.gov/reading_room/CSG-small-business.pdf. What struck me with the guide was the wealth of information contained within. It does a great job of dispelling the “We are small and no one would want to attack us” syndrome that many small companies have. In fact the first section of the first chapter is entitled “I am very busy; do I really have to do this? It then lists a couple of very poignant reasons why you should. The most affective was a quote from an ex business owner after selling off his company for peanuts because he did not take security seriously.But Security is Not My Business
The bane of many small business owners is that they have no idea where to turn. If you manufacture widgets, you know widgets very well. You know how much you can sell them for; you understand the market for widgets. You are very adept at managing people to make widgets. What may have slipped through the cracks was the security of your infrastructure. Widgets require online selling; your customers require email confirmations of sales and suddenly, it’s not only about making widgets anymore. This is where the guide can help you.Guide Written for Non Technical Managers
The guide is written for non technical managers and comes across as very friendly, while still getting the message across. The first steps talk about password complexity and what you can do to enforce it. You would be amazed at the number of passwords I find in security audits that are people’s names, birthdays, kid’s names. Take time to look at your passwords. Type it out to see what it looks like sometime (Make sure you delete when you are done though). You may be amazed at your “strong” passwords actual ease of guessing.From there you get into email security and firewalls. Again, with the ease of setting up desktop firewalls all machines should have one and be configured so that it can’t be altered without administrative permission (That is the case, by the way of our errant developer earlier). It also lists what can happen without a firewall which I found a nice touch.
From there it goes into the theory of least privilege and uninstalling any unused software. If you have ever ordered a laptop from a major vendor, you know what we mean when we say unwanted software. There are some great ideas concerning physical access controls that every owner of a laptop should read. The patching guide included also gives a no nonsense approach to one of the most tedious jobs ever. The ramifications of not patching are far reaching though. Every year contests are held to see how fast someone can break into a non patched computer of varying operating systems. See here http://www.macobserver.com/article/2007/11/13.8.shtml The last two points of the guide outline getting yourself a security plan and how to get technical expertise when you need it (things that many managers worry about).
