How to Conduct a Security Audit for SMBs

Security Audit for SMBs

Data breaches aren’t news anymore.

In less than five years, cyber crimes went from leading story to page six, because they happen too often for us to stop and pay attention to all of them. But businesses that are victims to these breaches do notice, and many feel helpless to stop them.

One year ago, Target was victim to a catastrophic data breach that stole more than 40 million credit and debit card numbers. While the attack did make news, it was only one of dozens in 2014 that happened to major corporations across the U.S.

A data breach on one of the world’s largest retailers leaves small business owners wondering, “If it can happen to Target, can it happen to me?” The simple answer is yes, it can happen to anyone. The silver lining is a bit more promising — sophisticated hackers aren’t targeting smaller companies the same way, but that doesn’t make them secure.

A small casino in Battle Creek, MI was recently attacked and robbed of credit and debit card numbers from its systems. So it is happening on all scales, the only question now is how to prevent your own business.

The best way to prevent a data breach is to get inside your own systems and learn how secure they are — where there are vulnerabilities, who is in charge of each piece, and how to fix any potential hazards — we’re talking about a complete security audit.

1. Backups

Before you go poking around your systems you need a proper backup. This is more than saving to a giant hard drive or server tower, your backup needs to be organized and accessible in case any piece of your systems should fail in the process (so you can restore that one piece and not the whole system). Normally this is a lot of work, but there are enterprise-level cloud systems to help make the transition seamless. Make this your first step to ensure peace of mind for the rest of your audit.

2. Create an Assets List

Think of all the entry points into your system. This includes:

  • Laptops and desktops
  • Email
  • Phones
  • Internet
  • Wireless
  • VPN
  • Printers
  • VoIP
  • Cameras
  • Employee access cards

These are only a few examples, but your company could have dozens. Make sure to hit all the ways your systems are accessed both physically and digitally (like the access cards vs email).

3. Consider Your Threats

Like entry points, your system is full of vulnerability points that could pose threats:

  • Passwords
  • Backups
  • Data logs
  • Client lists
  • Emails

4. Put a Plan in Action

Once you identify your entry points and possible threats, it’s time to connect the dots. For example, which entry points require a password? Which employees have access to your company’s most sensitive data? It’s important to create a spiderweb of possible paths a hacker can take to steal your information.

Now it’s time to put an intrusion prevention system (IPS) in place. Unless you have an experienced IT staff capable of the job, this is another task that should be contracted out to a third party firm to ensure all points are covered. A good IPS will cover both physical and digital security so someone walking into the building and scraping files into a thumb drive is not overlooked. Once this is in place, a cyber attack is much less likely than before.