Following my commitment a year ago to write something for the less-technical audience I encountered at a conference, I am finally writing the small-business security primer. This is part one — the basics, focused on what actually matters for typical small businesses.
The target reader: a small-business owner with no technical background, running 5-50 employees, with the usual mix of computers, email, possibly a website. They want to understand security well enough to make sensible decisions, not to become a practitioner.
This post is more direct and less hedged than my usual; the audience is different.
Why this matters for you
In 2001, your business depends on technology in ways that were not true ten years ago. The technology you depend on has security weaknesses. Some of those weaknesses can be exploited by people who do not know your business, do not care about you specifically, and are simply scanning the internet for opportunities.
The specific risks you face are:
- Email-borne malware that locks up your computers or destroys your data.
- Compromise of your website, leading to embarrassment, loss of customer trust, or worse.
- Theft of customer data from your systems, with regulatory and legal consequences.
- Disruption of your business through attacks on the systems you depend on.
None of these are theoretical; all of them happen to small businesses regularly. Most businesses are not specifically targeted; they are caught in the broad sweep of automated attacks. The defences against the broad sweep are not difficult; they are non-optional.
The basic disciplines
Five things, in priority order, that every small business should be doing.
1. Backups, real ones
If your computers were destroyed tomorrow, what would you lose? If the answer is anything you cannot afford to lose, you do not have adequate backups.
The right discipline:
- Regular automated backups of all important data.
- Storage off-site (so a fire or theft does not destroy backups along with originals).
- Periodic testing of restoration. Backups that have not been restored from are unverified.
For a small business, this can be as simple as a USB drive that gets swapped between the office and someone's home weekly, plus a small online backup service. The cost is modest; the value when needed is enormous.
2. Updates, applied promptly
The operating system on your computers, and most software you use, regularly issues updates. These updates fix specific security weaknesses. Applying them quickly is one of the most effective things you can do.
The right discipline:
- Enable automatic updates where the option exists.
- Schedule a monthly check that updates are actually being applied (computers do not always tell you when they have failed to update).
- Reboot when prompted to apply pending updates.
Most small businesses have at least some computers that have not been updated in months. These computers are systematically more vulnerable than they need to be.
3. Antivirus, current
Most computers should have antivirus software running with current signatures. The specific product matters less than:
- The signatures are updated automatically.
- The software actually scans incoming attachments and downloaded files.
- The software is not silently disabled by malware (which some sophisticated malware does).
This is the bare minimum. It is not a complete defence — antivirus catches known threats, not new ones. It is the floor, not the ceiling.
4. Strong passwords, used consistently
The single most common cause of small-business compromise is weak passwords. Specifically:
- Passwords that are dictionary words.
- Passwords that are reused across multiple services.
- Default passwords that were never changed.
The right discipline:
- Choose passwords that are not in dictionaries (long passphrases work well — "correct horse battery staple" style).
- Use different passwords for different services (a password manager helps).
- Change passwords if there is any reason to suspect they have been exposed.
This is where most small businesses fall down. The discipline is not technical; it is behavioural.
5. Email caution
Email is the primary attack vector against small businesses. Specific caution about email is essential.
The right discipline:
- Do not open attachments from people you do not know.
- Do not open attachments from people you do know if the email is unexpected or feels off.
- Do not click links in emails that ask you to log in to anything; navigate directly to the service instead.
- Do not respond to emails asking for sensitive information; verify by phone with someone you actually know.
This is the single largest behavioural defence. It is also where employees most need training, because the social-engineering aspect is the part that defeats technical controls.
What you do not need to worry about
Several things that small businesses sometimes worry about but should not be primary concerns:
Sophisticated targeted attacks. Almost no small business is specifically targeted by a sophisticated attacker. The threat profile is mostly opportunistic.
State-level adversaries. If you are not running a critical-infrastructure business or doing politically-sensitive work, you are not on any state's target list.
Specific technical jargon. SQL injection, format-string attacks, cross-site scripting — these are concerns for the people who build software you use, not for you directly. As long as you keep your software updated, the specific technique that produced any specific vulnerability does not concern you.
What this primer is not
This is the basics. There is much more — incident response, regulatory compliance, formal risk assessment — that matters for businesses beyond the basics. Part two of this primer will cover the next layer up.
For now, if you are a small-business owner reading this, the five disciplines above will substantially reduce your exposure to the threats most likely to affect you. None of them is technically difficult. All of them require sustained behavioural commitment.
More in part two, next week.