Security Think Tank: SME security on a shoestring budget

How can SMEs afford security that is good enough?

Small- and medium-sized enterprises (SMEs) are the lifeblood of the economy, at least according to the statistics of the EU: SMEs provide two in three private sector jobs and contribute to more than half of the total added value created by businesses in the EU.

Yet, based on my observations and first-hand experience, SMEs struggle with IT security, either knowingly or by ignorance. It is the job of IT and security experts to help SMEs overcome this struggle.

As cost-control is crucial for SMEs, let me help with a list of security controls to implement for free or on a very tight budget.

First, most SMEs operate single computers connected to small local network or even working from home. The security of those end points is, in my opinion, essential. For SMEs that run Windows OS on PCs, Microsoft does offer a security portal with free advice.

The obvious one is to keep a PC up to date with security patches, and run anti-malware software, which Microsoft provides for free. The less obvious advice is to run PC and applications as a non-privileged user. I would also advise alternative web browsers for internet activities, such as Google Chrome or Firefox. Those accessing internet banking should consider dedicating one browser just for that purpose.

For those fortunate to use Mac OS, the advice I would offer is much same: keep systems up to date and a create non-admin user account for day-to-day activities. There is slightly lower need to run anti-malware on Mac OS, yet it is changing. I personally run Forticlient on Mac; it is free and works well.

Cloud referral

Moving away from end points, SMEs are heavily engaged in the cloud, typically software as a service (SaaS). Services such as invoicing, shared folders, email and collaboration are heavily used. SMEs are in no position to negotiate any deviations from the SaaS provider's standard terms and conditions. When it comes to choosing a provider for a particular service, the Cloud Security Alliance has been doing a grand job in the self-certification of cloud providers - Star. SMEs should consult this list and take the information into consideration.

Most malware is attacking business through web browsing and email; with email being the delivery of the links to click on. Therefore, an effective email security software is a must. This is where free does not cut it anymore. SMEs cannot afford to run local email servers, hence a cloud-based system makes an excellent case. I have been using both Google Apps and Office 365 and both work excellently to filter malware and spam. These are not free, but are affordable and licensed per user.

Two-factor authentication

Finally, there is the question of authenticating cloud users. Passwords are notoriously insecure due to human nature, and that is why SMEs should prefer suppliers who provide two-factor authentication. The Two factor Auth (2FA) website lists a number of cloud services SMEs can use.

So far, the controls mentioned above should not cost SMEs anything or very little (Office 365 and Google Apps), and that is what I like. Let’s spread the word and help protect the bloodline of economy.

Vladimir Jirasek is chief technology officer at Knightsbridge Contego

Read more on Hackers and cybercrime prevention