Eight Risk Management Techniques for SMBs

Security complacency is easy when you’re a small or medium-sized business. There’s never enough time, staff often wear many hats, and IT budgets are tiny. Besides, nobody is targeting your business; you’re too small.

If only that were true. As business is increasingly involving cloud services and information technology, cyber criminals are waking up to the opportunity that SMBs represent. Unlike large enterprises, SMBs typically have weaker security and less awareness of threat potential. This makes smaller firms prime targets for cyber crime like ransomware. While SMBs might have less resources, they no longer can take cyber security lightly.

The best defense against security threats is prevention. Here are eight risk management techniques that will help keep your business safe.

1. Know What to Protect:

The first step is understanding what resources need protection.
“Identify the information assets that are critical to your organization,” says Tim McCreight, director of advisory services for Above Security and formerly the head of information security for Alberta, Canada. “These assets may range from human resources data, to payroll and invoicing, to an organization’s intellectual property like patents, trade secrets or proprietary formulas.”

Once you’ve identified what’s important, map out where it resides and how this data could come under attack.

“You should conduct a threat and risk assessment against these critical assets to determine what risks you’re facing today and how you can develop an ongoing program to assess the risks you’ll face in the future,” says McCreight.


2. Avoid Small Vendors:

While smaller firms are important, they also represent a significant security threat for your business because they might not have mature security models and the ability to handle threats in a timely manner.

As bad as it sounds, stay with larger vendors for your IT needs, companies such as Microsoft, Apple, Symantec, Amazon and others that can guarantee adequate security protection.


3. But Don’t Trust Any Vendor:

Even with larger vendors, always perform security due diligence and investigate how the vendor keeps your business protected. Third-parties represent a major security vulnerability because your business doesn’t control how they operate.

“Question everything,” stresses Maxim Weinstein, security advisor for IT security firm, Sophos. “If your photocopier vendor can remotely monitor and configure the copier, how do they ensure that no one else can? Are there any hard-coded or default passwords being used? How many security incidents has the vendor had in the past 12 months? Does their contract indemnify you if they’re at fault for a security breach of your business?”

Ensure that your vendors can demonstrate a control framework to protect your data, adds McCreight. “This is good evidence that your service provider has controls that are operational and in place to help protect your information.”


4. Train Your Staff Because They’re the Problem:

The human component is one of the weakest security links for an SMB. Almost all modern attacks stem from human error, and basic security education can drastically cut down on potential security breaches. So don’t skimp on employee security training.

“Make all employees aware of security threats, especially things like spear phishing and cash transfer scams,” advises Weinstein. “Make sure they know exactly who to report suspicious activity to, and that your business has a clear plan in place for how to respond to any suspected or actual incident.”


5. Get Smart About Passwords:

We all know that our passwords shouldn’t be on sticky notes or reused across various web services. Unfortunately, most of us ignore this obvious way to mitigate security risk.

Implement a password-safe technology for ensuring that your business avoids easily deciphered passwords. You also might want to consider rotating access passwords every couple months and implementing a system where employees need to make a call or email to get the current password. Never include password and login info in the same message, either.


6. Resist Root Access:

Let’s be clear: Most of the time there is no need for root or “admin” level access to a system. Granting yourself or others root access can speed up computing tasks because there are less security hoops to jump through, but this is invariably a bad idea that widens the opportunity for malicious activity. Those security hoops are there for a reason.

Never give employees root or domain access unless absolutely necessary, and request a list of changes that the employee plans to make so you can verify that this person has not deviated from plan. This helps reduce the risk of insider threat and careless error.


7. Patch Thyself and Keep Updated:

Security holes are discovered all the time, and software updates fix these vulnerabilities. Your business might not need the latest features or the new user interface, but it definitely benefits from patches and software updates that plug security holes. That’s why firms like Microsoft and Apple now try to muscle users into updating their systems regularly, and why SMBs should stay on top of software upgrades.

“Use current-generation technology whenever possible, and keep it updated,” says Weinstein at Sophos. “This is true for everything from operating systems to applications.”


8. Seek Professional Help:

Finally, don’t go the amateur route. If you don’t have the expertise in-house—and most SMBs don’t—then find a good managed services provider or IT services firm that can assist.

“Most companies wouldn’t hesitate to hire a licensed electrician, but [many] balk at spending money on security and proper backups,” says Weinstein. “Neglecting security can have an effect that’s the virtual equivalent of poorly-maintained electrical wiring: it can burn your business to the ground.”

Leave a Reply

Your email address will not be published. Required fields are marked *