Research

We in the security industry tend to lump small and medium businesses together into “SMB”, but there are massive differences between a 20-person retail outlet and even a 100-person operation. These suggestions are specifically for small businesses with limited resources, based on everything we know about the latest threats and security defenses. The following advice is not conditional – there really isn’t any safe middle ground, and these recommendations aren’t very expensive. These are designed to limit the chance you will be hit with attacks that compromise your finances or ability to continue business operations, and we’re ignoring everything else: Update all your computers to the latest operating systems and web browsers – this is Windows 7 or Mac OS X 10.6 as of this writing. On Windows, use at least Internet Explorer 8 or Firefox 3.6 (Firefox isn’t necessarily any more secure than the latest versions of IE). On Macs, use Firefox 3.6. Most small business struggle with keeping malware off their computers, and the latest operating systems are far more secure than earlier versions. Windows XP is nearly 10 years old at this point – odds are most of your cars are newer than that. Turn on automatic updates (Windows Update, or Software Update on Mac) and set them to check and automatically install patches daily. If this breaks software you need, find an alternative program rather than turning off updates. Keeping your system patched is your best security defense, because most attacks exploit known vulnerabilities. But since those vulnerabilities are converted to attacks within hours of becoming public (when the patch is released, if not earlier), you need to patch as quickly as possible. Use a dedicated computer for your online banking and financial software. Never check email on this system. Never use it to browse any Web site except your bank. Never install any applications other than your financial application. You can do this by setting up a non-administrative user account and then setting parental controls to restrict what Web sites it can visit. Cheap computers are $200 (for a new PC) and $700 (for a new Mac mini) and this blocks the single most common method for bad guys to steal money from small businesses, which is compromising a machine and then stealing credentials via a software key logger. Currently, the biggest source of financial losses for small business is malicious software sniffing your online bank credentials, which are then used to transfer funds directly to money mules. This is a better investment than any antivirus program. Arrange with your bank to require in-person or phone confirmation for any transfers over a certain amount, and check your account daily. Yes, react faster is applicable here as well. The sooner you learn about an attempt to move money from your account, the more likely you’ll be able to stop it. Remember that business accounts do not have the same fraud protections as consumer accounts, and if someone transfers your money out because they broke into your online banking account, it is very unlikely you will ever recover the funds. Buy backup software that supports both local and remote backups, like CrashPlan. Backup locally to hard drives, and keep at least one backup for any major systems off-site but accessible. Then subscribe to the online backup service for any critical business files. Remember that online backups are slow and take a long time to restore, which is why you want something closer to home. Joe Kissell’s Take Control of Mac OS X Backups is a good resource for developing your backup strategy, even if you are on Windows 7 (which includes some built-in backup features). Hard drives aren’t designed to last more than a few years, and all sorts of mistakes can destroy your data. Those are my top 5, but here are a few more: Turn on the firewalls on all your computers. They can’t stop all attacks, but do reduce some risks, such as if another computer on the network (which might just mean in the same coffee shop) is compromised by bad guys, or someone connects an infected computer (like a personal laptop) to the network. Have employees use non-administrator accounts (standard users) if at all possible. This also helps limit the chances of those computers being exploited, and if they are, will limit the exploitation. If you have shared computers, use non-administrator accounts and turn on parental controls to restrict what can be installed on them. If possible, don’t even let them browse the web or check email (this really depends on the kind of business you have… if employees complain, buy an iPad or spare computer that isn’t needed for business, and isn’t tied to any other computer). Most exploits today are through email, web browsing, and infected USB devices – this helps with all three. Use an email service that filters spam and viruses before they actually reach your account. If you accept payments/credit cards, use a service and make sure they can document that their setup is PCI compliant, that card numbers are encrypted, and that any remote access they use for support has a unique username and password that is changed every 90 days. Put those requirements into the contract. Failing to take these precautions makes a breach much more likely. Install antivirus from a major vendor (if you are on Windows). There is a reason this is last on the list – you shouldn’t even think about this before doing everything else above. Share:

You all know the story. If you need to know the time, ask the consultant, who will then proceed to tell you the time from your own watch. We all laugh, but there is a lot of truth in this joke – as there usually is. Consultants are a necessary evil for many of us. We don’t have the leeway to hire full time employees (especially when Wall Street is still watching employee rolls like hawks), but we have too much work to do. So we bring in some temporary help to get stuff done. I’ve been a consultant, and the Securosis business still involves some project-oriented work. The problem is that most organizations don’t utilize their consultants properly. My thinking was triggered by a post on infoseccynic.com from 2009 (hat tip to infosecisland) that discusses the most annoying consultants. It’s easy to blame the consultant when things go wrong, and sometimes they are to blame. You tend to run into the dumb, lame, and lazy consultants; and sometimes it’s too late before you realize the consultant is taking you for a ride. Each of the profiles mentioned in the annoying consultant post is one of those. They waste time, they deliberate, and they ride the fence because it usually ends up resulting in more billable hours for them. Having been on both sides of the fence with consultants, here are a few tips to get the most out of temporary resources. Scope tightly – Like it or not, consultants need to be told what to do. Most project managers suck at that, but then get pissed when the consultant doesn’t read their minds. Going into any project: have a tight scoping document, and a process for changes. Fixed price – Contracting for a project at a fixed cost will save you a lot of heartburn. There is no incentive for the consultant to take more time if they are paid the same whether the project takes 5 hours or 10. And if you have specified a process for changes, then there are no surprises if/when the scope evolves. Demand accountability – This gets back to Management 101. Does the consultant do a weekly or daily status report (depending on the project)? Do you read them the riot act when they miss dates? Some consultants will take you for a ride, but only if you let them. Change the horse – Many project managers are scared to get rid of an underperforming consultant. One of the reasons you got temporary help in the first place is to avoid HR issues if it doesn’t work out. Make sure you have a clear ‘out’ clause in the contract, but if it isn’t working, don’t waste time deliberating – just move on. Pay for value – Some folks have very specialized skills and those skills are valuable. But the best folks in the world demand a premium because they’ll get the job done better and faster than someone else. Don’t be penny wise and pound foolish. Get the right person and let them do the work – you’ll save a lot in the long term. Be accountable – Ultimately the success (or failure) of any project lies at the feet of the project manager. It’s about proper scoping, lining up executive support, working the system, lining up the resources, and getting the most out of the project team. When things go wrong, ultimately it’s the project manager’s fault. Don’t point fingers – fix the problem. So go back and look at the annoying consultant profiles mentioned in the post above. If any of those folks are on your project teams, man (or woman) up and take care of business. As I’ve said a zillion times over the years, I’m not in the excuses business. Neither are you. Consultants are a necessary evil, but they can be a tremendous resource if utilized effectively. Share: