Small and midsize businesses Cyber Security Stress Test

10 security questions to small and midsize companies

Author: F-Secure Business Security Insider
Date: 28.06.2015
Read Time: 6 Minutes

Small to medium sized businesses provide the foundation for the U.S. economy. And yet, this vital economic engine remains one of the nation’s biggest vulnerabilities when it comes to cyber security. That’s because many SMBs don’t have the time, staff, expertise or IT resources to ensure that their businesses are protected.

In many cases, SMB owners assume incorrectly that their systems and data would have little value to hackers and thus will not be targeted. However, your financial accounts, as we’ll as employee, customer or partner information can all be of substantial value to a hacker. A breach of any one of these could be devastating and bring into question the ongoing viability of your business.

Assess your cyber risk

To help you assess how exposed your business is to cyber threats, F-Secure has devised a Cybersecurity Stress Test for SMBs.

Answer the following questions to see where your weak points may be, and at the end, we’ll provide links to additional resources and information.

1. Does your business have a dedicated in-house IT person or team or do you outsource the IT function?

a. We have an experienced, dedicated IT person or team on staff
b. IT / security is handled by an employee, but it is not that person’s primary responsibility
c. We outsource IT / security to a contractor or Managed Service Providers / Value-Added Reseller
d. We don’t have anyone overseeing IT – each employee is responsible for their connected devicese.
e. I don’t know

Why this is important: cybersecurity is complex, extremely fast moving and dynamic challenge for our nation and for every business. Today’s security solutions automate many of the processes involved with protecting individuals or businesses. However, businesses are much better off having someone knowledgeable such as an IT person or team, or a Value_Added Reseller or Managed Service Provider, who can make software is deployed correctly and who can keep you abreast of security issues.

2. What type of security software do you use for your business?

a. Licensed enterprise-grade security software
b. Licensed consumer security software
c. Security Software as a Service subscription
d. We outsource management of our security software to a Value-Added Reseller or Managed Service Provider
e. We use free security software
f. We don’t use security software
g. I don’t know what we use

Why this is important: Some small and medium-sized businesses rely either on free security software that comes with their computers or consumer grade security software suites. These solutions are better than nothing, but they are insufficient for business use. Moreover, businesses tend to have multiple employees with multiple types of devices – that’s why it’s important to have a solution that can fully protect your business.

For small and medium-sized businesses, outsourcing security to an expert is increasingly recommended – let your Value-Added Reseller or Managed Services Provider worry about protecting you business so that you can focus on growing your business.

Security-as-a-Service is also recommended for small and medium sized businesses versus licensed software because it requires little management and the software is always up to date.

3. What types of computing / communications devices do you and your employees use (select all that apply)?

a. Desktop computers
b. Laptop computers
c. Cell phones
d. Smartphones
e. Tablet computers

Why this is important: Nowadays, your employees are likely using multiple types of devices for personal and work use. This creates more points of exposure – or a greater potential threat surface for hackers to exploit. It is thus important that all your employees’ devices – from PCs to laptops to tablets to smartphones – are protected and considered in your security program.

4. How do employees access work information?

a. Through work computers only
b. Through work-issued mobile devices
c. Through employee’s own personal devices, including computers and mobile devices
d. I don’t know

Why this is important: Moreover, even if you have ensured that all employee work devices are protected, they may be access work information on their personal devices – and those devices very likely are not protected.

5. Do you use Wi-Fi to provide network access in your facilities?

a. Yes
b. No
c. I don’t know
d. We do not have a wireless network

Why this is important: Wi-Fi can be yet another point of exposure if not properly secured. It’s critical that businesses understand the risks of Wi-Fi and how to properly secure it. Be sure to use WPA2 to secure your network and use a strong password. In addition, it’s best practice to create a separate Wi-Fi login for quests logging onto your network. This helps reduce exposure of your regular work Wi-Fi network.

6. Do employees regularly connect to Wi-Fi off your property, such as at their homes, other places of business, or public places such as airports or cafes?

a. Yes
b. No
c. I don’t know

Why this is important: Many public Wi-Fi hotspots are easy targets for hackers, and often people don’t protect or use the highest level of protection on their home Wi-Fi. It is all the more reason that you should ensure that their mobile devices used for work are protected with security software.

7. Does your company have clear IT security policies in place?

a. Yes
b. No
c. I don’t know

8. Does your company train employees on IT security?

a. Yes
b. No
c. I don’t know

Why this is important: Software and expertise can only protect you so much. The biggest weakness in the fight against cybersecurity has always been the human factor – risky online behavior engaged in by employees. The only way to help reduce this exposure is to have clear policies in place, train every employee on internet security, and provide regular reminders and refresher training.

9. How does your company ensure that its security software is up to date?

b. We have systems set up to automatically update software
c. Our IT team regularly ensures that systems are up to date
d. We don’t have any way of ensuring software is updated
e. I don’t know

10. How does your company ensure that apps and software you and your employees use are up to date?

b. Our IT team regularly ensures that systems are up to date
c. We don’t have any way of ensuring software is updated
d. I don’t know

Why this is important: Software flaws are the most common ways hackers gain access to devices and critical information. When flaws are found, hackers quickly exploit them until the software maker discovers the problem and is able to send out a fix. If you or employees delay updating their software or apps, they are left exposed and are easy pickings for hackers.

Hopefully, as you’ve answered these questions and considered your own security practices at your business, you’ve identified some ways to protect your business better.
It doesn’t require a significant amount of money or time, but taking sufficient protective measures can prevent disaster. By protecting your business and employees, you’re also helping to protect your customers and partners – and contributing to the business community’s and country’s overall security standing.

More information

Here are some other resources that you might find useful:

Safe and Savvy blog: http://safeandsavvy.f-secure.com/
F-Secure Labs blog: http://www.f-secure.com/weblog/
Sean Sullivan, F-Secure Security Advisor on Twitter: @5ean5ullivan


Post Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s