Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

What are the best ways to improve SMB security?

Despite popular belief, a small to medium-sized business can be a target of cybercriminals because of limited security. Expert Mike O. Villegas advises SMBs on security defenses.

Obviously big name companies like Target and Sony Pictures are likely to be targets of attacks. But for smaller, less well-known companies, how do we know whether or not we're a high value target for hackers? Is there a threshold or some type of risk assessment that can help determine this?

Cyberattacks against a small to medium-sized business are primarily due to its limited resources, or because the owners don't believe an attack is plausible so they don't invest in the SMB security measures they really need. Here are few control measures to improve SMB security:

  • For online banking, use account notifications, two-factor authentication, and segregation of duties within the organization.
  • Computer systems should use firewalls, antivirus software, secure wireless connections, up-to-date patches and should not allow unauthorized website downloads.
  • Logs for CCTV, firewall or network activity, and workstation event logs should be retained for at least 90 days online and up to one year offline.
  • Employee security awareness training should include privacy, physical security, customer interactions, vendor service verification, inspection of possible POS or device tampering or substitution.
  • Passwords should be complex -- they should at least be alphanumeric, have a minimum of eight characters and have a 90-day change interval -- and be unique to each individual user.
  • Invest in an incident response plan in the event of a breach.
  • Define data breach notification requirements.
  • Have law enforcement group(s) to call in case of an emergency.
  • Know whether to turn off or leave the affected system(s) running.
  • Have cybersecurity insurance to cover the incident.
  • Data protection should include encryption, access based on need-to-know, backup of critical data, and secure destruction of data and retired devices that contain critical data.

Many small to medium-sized business sites are poorly protected and are subject to DDoS attacks. These attacks are particularly difficult to manage since it's hard to tell the difference between good traffic and bad traffic. There are laws, however, that require certain levels of protection on customer and personal information. Many of those laws are industry based, such as HIPAA, GLBA and PCI DSS. But if a small to medium-sized business depends on technology for its operations, it should have basic measure of protection in place.

SMB cyberattacks are not as widely known as enterprise data breaches since it's not headline news like Target or Trump Hotels. The 2015 Symantec Internet Security Threat Report states that retailers are responsible for the largest number of identities exposed -- 60%. This percentage has risen 30% from 2013. The majority of those retailers are small, midsize businesses with fewer than 250 employees.

In states like California, small businesses employ more than 8.7 million workers and where 90% of small businesses have fewer than 20 employees. In case of a breach that affects more than 500 people, the business is required to be reported to the Attorney General.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Find out what's driving SMBs to the cloud

Learn more about SMB protocol security

Check out how to uphold SMB security with psychology

This was last published in March 2016

Dig Deeper on Risk assessments, metrics and frameworks