Small Business IT Security, Why Is It So Important?

Old 1 Comment on Small Business IT Security, Why Is It So Important? 17

Small Business IT Security, Why Is It So Important?

Over the years I have found that an alarming amount of small businesses that deal with sensitive personal information of their clients (such as medical and financial offices) do not properly secure their computer systems. Their client data is stored on normal network shares, open to anyone who cares to look. The worst part is when this is brought to the attention of the business owners, a lot of them don’t seem to understand how severe of a issue this really is. Any company that deals in anyway with personal information of it’s clients, be it medical records, financial records or legal records has a responsibility to it’s clients to do everything possible to protect that data.

I’m just a small company, no one would target me.

That is generally the response I get from the business owners, and this is a very dangerous mindset. The hackers almost never “target” anyone, this is a false idea of what “hackers” are. Most people see hackers as the movies portray them. Some geeky guy sitting in front of a computer typing away until finally he proclaims “HA HA!! I’m in!”. This is far from the truth. In reality hackers don’t usually do much at all, they use scripts or automated “hack bots” to do most of the work. And they don’t just pick one system or company to hack, they target thousands or millions. So banking on the idea that you are too small or not important enough to target leaves you with no protection at all.

So how does “hacking” work then?

To understand the importance of maintaining security at any level of business, it would help to understand how hacking really works. Hackers cannot really penetrate any system, no matter how good they are. Hackers take advantage of holes or lack of security in order to gain access to systems. They are literally counting on you to simply not secure your network properly. Most of the “hacking” tools are so simple that almost anyone can use them. You don’t have to be a computer genius. For instance, there is a process called “brute force” that simply tries a list of common passwords until it gains access to whatever it’s targeting. It literally will start at the top of a list and try “password” if that doesn’t work, it will try “1234” or “123456” , then “qwerty” and so on using a list like this. This is a perfect example of how a user’s lack of care in their security can easily lead to a breach of a network.

Other such tactics simply follow known security holes or glitches. There may be some glitch or problem in a firewall’s firmware that can cause information to be routed improperly. Hackers could use this knowledge to write a script to look for and exploit that exact firewall for that exact problem. Again, they wouldn’t find a particular company or person to target, they would target everyone that has this firewall. The heartbleed security problem is an extreme example of this, you can learn more about it here. This area of security is an example of why you should always stay on top of updates for all of your systems. Going back to this example, once the manufacturer of this fictional firewall finds out there is a problem, they would find the issue in their firmware, fix it and then release a patch. But if you never download this patch, then you’re still vulnerable.

The last type of “hacking” I’ll touch on is called “social engineering”. This is where the hacker is trying to bypass any security you may have by tricking you or your users into doing something. An easy example of this would be the spam email from the Nigerian prince who needs your help transferring millions of dollars. The email itself is harmless, but if you follow the instructions in it you’re screwed. This tactic is probably the most dangerous of them all simply because it is much more difficult to train users how to be safe than it is to implement network security protocols, and it can bypass any security you may have in place. In extreme cases (and the exception to the rule) social engineering can be used to target specific companies. Imagine a hacker has written a virus that will allow him to access a network once that virus is on the network. So he goes into the office pretending to interview for a job. But wouldn’t you know it, he forgot a printed copy of his resume. Lucky enough, he has a copy of it on flash drive, and asks the receptionist to print it out for him. In truth, what is on his flash drive is the virus and the moment the receptionist accesses the drive, her computer is infected. And after a few hours the network as a whole is compromised.

IT security is expensive, what are my options?

It is true that IT services can be expensive, but if your business is small, then chances are you don’t need to spend tens of thousands of dollars to secure it. The important things for every business, no matter how small or big they may be, is to stay on top of security updates and enforce proper passwords. Beyond that, the security measures you would need to take are mostly going to depend on what your company does. A dog washer doesn’t need a $20k firewall, or a Windows server or any other expensive equipment, but a hospital would. If you’re a doctor, lawyer, CPA or somehow work with and store sensitive client data then you need to have encrypted storage servers. There is no one answer to this question, as your security needs will vary with your business practices. The best option is to hire a professional consultant to assess your infrastructure and security needs, and advise you on the best course of action. This is the best way to make sure you get exactly the level of security you need without spending more then you have to.


Tom Patch

I'm an IT consultant with 8 years of experience. Currently supporting consumers and small businesses in King and Pierce counties in Washington state. I can help with any general technological consulting, network administration and security, web development and hosting. Email - Blog -

Related Articles

1 Comment

  1. Richard Watson July 23, 2014 at 5:56 pm

    After a major data loss last year, I honestly thought that my information was gone forever. Boy was I wrong! Thanks to a work partner, I was referred to CSU in Palm Beach Gardens. CSU was a life saver; they retrieved my data and provided an outstanding backup solution to protect my data from future mishaps. Check out their website here

Leave a comment

Back to Top