11 Essential Points for a Small Business IT Security Policy

I remember the first time I watched Gregory Peck and Anthony Quinn in my all-time favorite war movie, “The Guns of Navarone.” A small band of gutsy misfits takes on practically the entire German army. Clearly, the odds were stacked against them.

That’s how IT security feels sometimes for small businesses. You’re working hard to meet deadlines and get payroll out and then – boom – your network is compromised. And you can’t help but think: “I don’t have time for this.”

Small businesses are vulnerable targets. Cybercriminals think nothing about email blasts that steal data in exchange for ransom (called ransomware) or infecting computers with viruses, shutting down a network.

At 3Points, we receive one to two calls a week about security-related issues from clients – smalls businesses with up to 100 computers. A ransomware attack is scary and pricey. Costs reach as high as $10,000 to fix the problem. If a workstation is infected, then an employee could be down half a day while the PC is rebuilt and files restored. If a server is infected, then the entire server comes down.

Your best defense is a rock solid IT security policy. Here are 11 essential points to include. More protection means less risk. In the spirit of my favorite movie and in honor of Veterans Day just around the corner, you’ll see a few military terms thrown in for good measure (thank you, Wikipedia).

1.    Document your policy. First things first, craft a security policy that defines your standards so employees know what they should and should not be doing. The internet is like no man’s land (the land under dispute between countries). Put your security policy up on SharePoint for easy reference.

2.    Define safe and unsafe email habits.
One client experienced ransomware four times in a nine-month period. Why? Employees opened malicious emails, clicked on infected links, and downloaded suspicious files. Educate people about safe and unsafe email practices. Attachments from fake people, subject lines with personal information, and emails from “UPS” are popular baits.

3.    Train the user to look past the obvious. User awareness is your best blast wall (barrier for protection from high explosive blast). In your policy, outline questions like: Am I expecting an attachment from this person? Is it reasonable that I would be asked to click this link? Sometimes cybercriminals steal identities of people you know. Got an email from the controller? Ask: Would I be receiving something like this from her? Send a new email (do not respond directly) or call, identifying the email’s validity. An extra five minutes is better than a half day down to fix a problem.

4.    Stop forwarding emails. Forwarding emails spreads viruses. 3Points once ran a test for a client to see how secure they actually were. We sent out a fake email to reset their password. Half the company clicked through. Others forwarded the email.

5.    Reporting procedure. What happens if an employee does identify a threat or gets an alert email? Define their response in your policy. Turn your team into pickets (advance troops that alert early warning of the enemy). Tips: Notify a manager, the IT partner, or run an anti-virus scan. If using an on-premises exchange server or GoDaddy, we can install a filter that analyzes emails and attachments.

6.    Educate your team.
Think of it like boot camp – have your HR department give instructions through a company-wide meeting, workshop or webinar. A prevention plan is easier to do than a crisis plan.

7.    Password policies. Consider password management software. Of course, outline password best practices, like not repeatedly using the same one (I have a friend who boasts about using 1234. Not good).

8.    Limit public information. We’ve become a sharing community. Typical security questions like the name of your first pet are pretty easy to find. After all, Roscoe’s picture is right there on your Facebook timeline.

9.    Not just for email anymore.
I watch this show Mr. Robot. One episode featured a supposed “call” from a person’s banker relaying a security breach and asking for verification of account information. With mobile devices taking over our attention, include best practices for distinguishing malicious calls from real ones. With BYOD (bring your own device) so prevalent, set policies to prevent transmission of company data via personal devices.

10.    Consider workstation limitations. 3Points offers a Security Enhancement Package that puts digital limitations on workstations. It helps prevent an end-user who may inadvertently infect themselves through attachments and file sharing. Think of it like a military tank with your computer inside.

11.    Backup is your best defense. A good backup strategy is the single most important part of your security policy. Safe backup equals safe data. With ransomware and malware, it’s a nasty game of catch-up. Malicious attackers are creating new styles of attack, new code, new iterations of viruses. It’s impossible to keep up, but it’s not impossible to bulletproof your protection. This is your shield wall in all its glory (the highest and thickest wall protecting the main assault approach).

We live in a digital world. A security policy outlining prevention methods and backup solutions puts the odds in your favor. It gives you – you guessed it – a decisive victory (an overwhelming victory for one side) over computer attacks.