Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
Cybersecurity News

6 Ways for SMBs to Improve their Security, with Little Security Expertise

Plus a Checklist of 7 Security Must-Haves

By Ivan Dominguez
computer-cyber
April 4, 2018

There is a children’s book, “Inside, Outside, Upside Down” featuring The Berenstain Bears, that teaches young children about spatial concepts. When it comes to securing your organization’s data, it may feel like you need to cover all of the spaces: inside, outside, and even upside down. It’s no wonder, since security risks exist everywhere: inside the network and outside the firewall, from employees accidentally leaking information via their mobile devices to outside phishing and malware threats trying to get in. With these increased cyber risks, companies of all sizes are constantly challenged with how to spatially navigate the security landscape.

Small to medium-sized businesses (SMBs) may not have dedicated security staff or security budgets compared to larger organizations. Yet their cybersecurity risks aren’t any smaller. In fact, ransomware is hitting SMBs hard. More than half of SMBs experienced a ransomware hack in 2017, according to a report by Ponemon Institute. Nearly 80 percent of SMBs said that ransomware was launched through a social engineering attack.

Your security needs are big, regardless of your organization’s size

Small businesses with little or no security staff can still have an effective cybersecurity program. The following can be done by your staff, even if they are not technically savvy:

  1. Start with a healthy amount of paranoia! Having a good idea of the real risks facing your business and how threats to your business may accomplish their goals is an essential business trait that doesn’t always require a technical background.
  2. Conduct a security review. Unless you know exactly what your business leaders want to protect and are required to keep confidential, cybersecurity efforts may be wasted even if you’re simply following best practices. Sitting down with key managers and leaders to understand the key assets and goals for the security program is an essential first step. 
  3. Determine what data needs to be protected. What data do you work with every day? What data is confidential? What data is essential to making your product? What data is public? What data would scare you if it got out? What would you do if that data was unavailable? What information is regulated? Once you scope out the data categories, you can start developing policies and procedures.
  4. Establish procedures and workflows. Start applying security controls at every step of the data handling transactions. Data security controls, according to the Infosec Institute, are used to safeguard sensitive and important information. They help to detect, minimize or avoid security risks to your computer systems. If you don’t know what data security controls are needed, then you may need to consult with a third-party technical professional. However, by performing a stakeholder workflow review, you have already done a great deal of work towards a proper risk assessment.
  5. View technical data as a puzzle for the entire staff. For example, a SMB may be able to send the team to a technical conference to soak up knowledge, or spend one hour a week to listen to a webinar. Taking on technical challenges as a group, with a fun tone around the activity and rewards around solving puzzles, can help team comradery and teamwork. Technical content may be difficult, but having a staff that is eager to learn and crack hard puzzles will be an asset.
  6. Leverage eager learners and career novices. There are many people in school or just out of school itching to get some real-world experience. Consider hiring an intern with technical experience. Many colleges and trade schools have well-trained students studying cybersecurity.

 

The more you know about your operations, network topologies, business workflows, and regulations, the better you will know what data could be at risk. Once you know what data is at risk, you can start researching and learning how a “bad guy” could get this secure data.

If you start doing both, regardless of your technical background, you can effectively manage and outsource the more technical items.

 

Leveling up your security

If your company has some technical experience, where should you prioritize? In addition to concentrating on your most confidential information, here’s a checklist of your core security must-haves – especially if you are under FFIEC, NCUA or HIPAA regulations:

  1. Focus on the endpoints. This is where humans interact with machines, especially the mobile ones.
    1. Endpoint encryption
    2. Endpoint antivirus
    3. Email phishing/spam filtering
  2. Firewalls and perimeter
    1. Encrypt your communications
    2. Ensure you pose a minimal attack surface
  3. Employee security awareness training
    1. Especially around email usage, BYOD and best practices
  4. Data loss prevention (DLP)
    1. On your network shares and outbound email
    2. Block USB ports and limit access to certain websites
  5. Network and activity baselines set
    1. Monitor for availability
    2. Monitor for knowledge of what is normal in your network   
  6. Perform risk assessments, obsessively at first
    1. Scan your entire enterprise for both vulnerabilities and new assets
    2. Remediate those vulnerabilities in a documented way
    3. Scan early and scan often
  7. Keep improving!  If you made it this far, you have built a solid security foundation. Now a process of re-evaluation and external testing will determine your next steps and tools to automate all of the above.

 

When is a good time to bring in outside help? If your company has only one network technician who is busy installing new firewalls and routers, plus typical day-to-day troubleshooting and maintenance. You may find that the time and costs are too great or too inefficient for your organization to do it all. When it comes to maintaining and improving your security, you don’t want to be stuck inside a box like Brother Bear in The Berenstain Bears’ story. And you certainly don’t want to be stuck upside down inside a box.

KEYWORDS: cyber risk management cybersecurity maturity small to mid-size business (SMB) security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

As a cybersecurity architect and analyst for Redhawk Network Security, Ivan Dominguez leads the charge to help organizations secure their networks and increase trust in their digital platforms. Ivan brings hands-on cybersecurity value, technical expertise, and regulatory compliance experience. HIs background includes incident response management, including complete documentation, post-action analysis, and network forensics. Ivan’s security certifications include CISSP and GPEN—Certified by SANS for Penetration Testing. He has extensive hands-on knowledge of NIST 800-37 and other NIST standards, SANS 20 Implementation and Auditing, FFIEC and NCUA regulations and Cyber Security Assessment Tools.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity Education & Training
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • network security

    6 ways to improve access and authentication protocols

    See More
  • Security Leadership Default

    7 Ways to Improve Your Security Executive Resume

    See More
  • healthcare 1 feat

    Report: 5 Ways to Improve Healthcare Data Security

    See More

Related Products

See More Products
  • security culture.webp

    Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

  • Photonic-Sensing.gif

    Photonic Sensing: Principles and Applications for Safety and Security Monitoring

  • 150 things.jpg

    The Handbook for School Safety and Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing