No organisation likes to spend money on infrastructure, especially when the topic is security. An increase in headcount is unacceptable under any circumstances, so where should a small or medium-sized enterprise spend its limited budget?
Let us look at where things really go wrong. What has had the biggest impact on businesses over the past couple of years? The answer has to be viruses and worms. And these only succeed for two reasons: user ignorance and unpatched systems.
So here are the first two areas for spend: effectively educating users on malware, and keeping servers and anti-virus tools patched and up-to-date.
Effective user education really means selling ideas to staff and ensuring that everyone is educated to the risks. In smaller organisations team meetings or one-to-one sessions work well. In larger firms, a co-ordinated programme using ideas such as log-on screens, mouse mats, posters and competitions can be successful yet inexpensive. It just requires some brainstorming and co-operation.
Patching systems is a nightmare for everyone. Smaller organisations do not usually have software distribution or network management tools. However, Microsoft's Windows Update service acts an excellent method to ensure that all systems are kept patched and up-to-date. A weekly regime to visit the update site and ensure that every device is updated can provide appropriate levels of protection. For larger businesses there are many tools emerging to provide patch distribution across the internal network.
It is essential that the drive to "just get things done" in a smaller business does not cause security to take a back seat. Management must take an active role in promoting security awareness and must set a good example by being seen to obey their own rules for managing laptops, PDAs and other risky devices.
Personal firewalls are an inexpensive control that SMEs can apply to every desktop and laptop. By providing a "belt-and-braces" approach to security, these tools can ensure that staff using machines at home or for personal access at work are protected from common internet-borne problems.
There is also an essential investment in time. Someone in the organisation must be given both the responsibility and authority to ensure these controls are implemented and kept in the front line. It does not have to be a full-time job in smaller organisations, but it is nevertheless an essential role and one that will act as the security conscience for the firm.
Finally, a set of policies and procedures is needed to support these good intentions and to ensure that nothing is overlooked. There are many free sources of template documents on the web and some excellent advice from the British Computer Society and Microsoft websites.
What do you think?
Would better education of staff in security matters such as patches slash your budget? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Peter Wood is chief of operations at First Base Technologies, an exhibitor at Infosecurity Europe 2004 which will be held at Grand Hall, Olympia, 27-29 April.