Security Think Tank: Data security basics for SMEs

How can SMEs afford security that is good enough?

Small-and-medium-sized enterprises (SMEs) can be a one-person company running one PC and a printer or it can be a much larger enterprise running a reasonably sized IT infrastructure. Some basic security principles apply to both, and for the singleton they will provide a good level of protection.

These basic principles include PCs and, where used, servers running a current and supported version of all software. The software – particularly operating systems – should be maintained and have up-to-date security patches.

PCs and servers should be running a current and maintained antivirus product and a local – to the PC or server – firewall should be operational. A backup regime should be in use, preferably backing up every 24 hours.

Laptops should be running encrypted hard drives and, ideally, USB memory sticks should be encrypted as well. It is also not such a bad idea to encrypt the hard drives of desktop PCs.

Good password hygiene should be practiced. For example, passwords shouldn't be shared, should be changed regularly and the same password shouldn't be used on a multitude of services. Passwords should be complex – not the name of a pet, for instance. Further, log-on information shouldn't be written down on a post-it note placed under a PC keyboard or on the side of a monitor.

For larger SMEs running more complex IT infrastructures there is more to do over and above the security basics. These organisations need to ensure any infrastructure devices – including firewalls, routers, Ethernet switches, load balancers and so on – are running currently supported software or firmware that is maintained with up-to-date security patches.

Businesses also need to ensure user access rights follow the rule of providing employees with the least privileges necessary to do their job. For example, only an IT support employee should have administrator rights, even on their own PC. 

Role-based access control can be used to good effect to limit what people can access on a network and what they can do to data in the network. A flat-file system where everyone has access to everything is not a good idea.

If IT services are being outsourced, the security principles outlined above should be enshrined in the outsourcing contract. However, it should be remembered a company’s responsibility can't be outsourced under the various acts of parliament.

Websites that offer helpful information include and

Peter Wenham is a committee member of the BCS, The Chartered Institute Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection