Recently, I was asked to review an article, “5 Things Don’t Want Small-to-Medium Sized Business Owners to Know” (PDF) by an industry colleague. The article is excellent and provides good information to SMBs.
In our company quest to share information to help as many people as we can, I’ve added the email response here. Why write to one person when you can write to many?
The titles are from the original author.
The article is a good one. As I read through it, I found myself checking off the paragraphs with good info. Most of the paragraphs have checks beside them.
#1: Anti-virus programs are generally ineffective
The numbers on the growth of these problems are so big people may have trouble believing them to be true. It’s kind of like the federal bailout. People could not comprehend numbers that large without a great infographic.
Our prior business was website hosting and digital marketing. Customers had sites hacked all the time because they would leave their content management system alone and never update/upgrade to better patched versions. The same holds true for plug-ins to the sites. We have hundreds of WordPress CMS customers and there was almost a hack a day for people who did not subscribe to our security service.
One other element the article addresses is the use of terminals and restricted access for employees. I agree — and will go so far as to say people should limit who has email. Most employees do not need email accounts. Yes, there. I said it. The tools to communicate internally and with customers have eliminated the need for email in most cases. I’ll write more on this soon and it involves more than preventing phishing issues.
#2: Firewalls facing the wrong way
I agree with this section of the article. It may be tough for SMBs to grasp the investment in a log management tool until a negative event occurs. If we split the SMB market into sections, then I can make recommendations:
- <25 workstations: buy endpoint protection on a per seat basis from the IT provider; no real log analysis unless there’s a strong belief in IT
- 26+ workstations: buy endpoint protection, hardware, and log analysis
I picked 25 as the split based on my experience of what they are likely to do and not from any scientific point of view.
#3: You are the weakest link in the cloud
This could be an article in itself. Humans are always the weakest link. ;^)
The author’s point about the value of physical access to data as opposed to cloud storage is a bit alarmist. Properly configured, I think cloud data storage is acceptable and secure enough for most businesses. The key is allowing the IT team (or guy) enough time to set it up and manage it.
Most of the internal systems used have a way to access them even if an employee is outside the office. Exchange has offered OWA for a long time. To me, this is only marginally better than a full cloud service. In 2015, we can assume most of the SMBs have fewer security measures and staff in place than a cloud service provider.
If I were to rewrite the section with the same title, it would be about social engineering. The cloud advice would be in a new section.
#4: Advising employees not to open emails from “strangers” is counter-productive
The title is a little misleading. An all around education program is what should be offered to employees. I believe this is the author’s point.
Teaching about phishing only is not enough. This is why we offer video training for our clients.
#5: Encrypting your company’s portable devices isn’t enough
The scenarios described are believable. I’ve seen a number of people on airplanes, in coffee shops, etc leave laptops open, logged in, and unattended for more than 5 minutes. Encryption is good — and a smart thing to do — but the training is what will really help keep things secure. We need to encourage our clients to keep educating their employees to be vigilant and not paranoid.
If your organization is interested in working with us, then you can imagine what to do next.