Introduction to SMB Security

When tech-types start discussing security, the small/medium business (SMB) owner tends to get lost in the perceived morass of technical information security controls. On the other hand, vendors aggressively pursue SMB dollars, touting the importance of complying with government regulations and staying out of litigation. The purpose of this series of articles, a security how-to manual for SMBs, is to cut through the techno-speak and marketing hype. We’ll discuss reasons why you as an SMB owner or manager should care about information security. We’ll also look at information security tools and techniques and how to determine what level of security is reasonable and appropriate for your unique organizational needs.

There are a number of standards I could use as a guide through the topics to follow. However, the standard getting the most attention today is the Payment Card Industry Data Security Standard (PCI DSS). So I decided to use it as the central driver for our discussions. When we discuss security issues beyond something covered by the PCI DSS, I’ll fall back to the international security guidelines contained in ISO/IEC 17799:2005.

No, you don’t have to remember cryptic ISO numbers or wade through the 17 page PCI DSS specification to get security. It will be my job to “decrypt” the content of these documents and show you how they apply to actual day-to-day operation of your business. Each article will include two or three products which provide relevant functionality.

Let’s start the series with why should you should care about any of this.

When you ask a security professional to define security, he or she is likely to explain that it is the protection of data confidentiality, integrity, and availability. OK, but what does this mean to the SMB?

First, keeping your data secure helps maintain customer good will. Protecting their identities from theft and providing a general perception of your willingness to secure sensitive information about their credit cards or other financial information, while the media are full of stories about lost information, is a big plus.

Second, information security includes planning for business interruptions and how to quickly recover with minimal negative impact on finances or market share.

Third, maintaining the confidentiality of information which hones your competitive edge is critical. Intellectual property such as product/service development documentation and customer lists are examples of data types you need to keep safe.

Finally, there are regulatory requirements and industry standards. Failing to comply with these constraints can result in fines, loss of business, or litigation. In addition, failure to comply with the PCI DSS can result in payment card companies withdrawing your ability to accept credit cards in payment.

Now that we’ve seen why you should care about information security, let’s take another look at the CIA of security—confidentiality, integrity, and availability.

Confidentiality includes tools and techniques that prevent unauthorized individuals from viewing or obtaining information. This is the central theme of the PCI DSS. That is, protecting the confidentiality of individual payment card information. It is also an important element in ensuring the safety of Personally Identifiable Information (PII)--information which allows someone to steal another’s identity—or electronic protected health information (ePHI).

Data has little value, and can actually be harmful, if it isn’t accurate. Financial statements and delivery of health care are just two areas adversely affected by false or missing information. Protecting data integrity focuses on ensuring that information used to conduct business is accurate and free from unauthorized changes.

Protecting the confidentiality and integrity of information is important. But even safe, accurate data has little value if business users can’t access it. Availability is about planning for inevitable failures of people, process, or technology. It’s also about being able to recover in a way that doesn’t cause irreparable harm to the business.

In upcoming articles, we’ll look at administrative, technical, and physical tools and techniques for ensuring the safety of sensitive information, protecting your business and your customers. Don’t think of this as another lecture on security. As a SMB owner myself, I understand the limitations when looking for security dollars. I’ll help you minimize investment while ensuring confidentiality, integrity, and availability of customer, employee, and business data.