Setting Up Information Security for a Small Business

An impressive 95 percent of all companies in the U.S. are classified as small businesses so they represent a critical part of the business landscape and economy. Yet, the SBA’s definition of a small business (Independently owned and operated, is organized for profit, and is not dominant in its field) lends itself to certain challenges. While achieving growth to become more dominant in its field is typically the highest priority, the small business needs to achieve that goal without taking unnecessary risks within its operations.

As an information technology specialist, you might be very familiar with this scenario and used to battling the executive team to receive adequate resources or personnel for information security. According to, “How much should you spend on IT security?” published on InfoWorld, research performed by Gartner indicated that only 5 percent of the total information technology budget is devoted to security. 

Given this relatively small budget allocation, IT professionals must continually ask themselves, “What are the most important information technology security investments a small business needs to make?”

  1. Protect information systems from attacks. In addition to purchasing and installing anti-virus/anti-spyware software, this step also involves performing regularly scheduled security updates and health scans. It is important to remember that some employees work from home so every computer the small business uses must be protected.
  2. Secure the internet connection. While this recommendation should be commonsense, many businesses have wireless connections that are not adequately secured.  It is critical to install and maintain a hardware firewall for both the internal network and internet connections.
  3. Use software firewalls. Common operating systems such as Windows have firewalls included, but it is important to double-check that they are activated. If an operating system or software doesn’t have a firewall, such software is readily available for purchase.
  4. Update/patch operating systems and applications. As security weaknesses are exposed within operating systems and software, vendors will release patch and updates to correct them. It is important that both IT and employees regularly install these updates because it is very easy to toggle, “Remind me later,” and inadvertently expose systems to attacks.
  5. Create backup copies of data. Without data backups, if the unexpected occurs and a system fails, information may be permanently lost. Rather than rely on employees to perform these backups manually, investigate whether these backup functions can be automated.
  6. Limit access to computers/systems. From password protecting computers when they are not in use to limiting personnel in the server room, this simple precaution helps protect sensitive information.
  7. Educate employees about basic security. Consider implementing a new employee orientation designed to educate employees about what constitutes sensitive information, policies surrounding work computers, etc. Common mistakes include using low-security passwords such as, “123456” or “Password” or utilizing the same username/password combination across multiple sites and platforms.
  8. Generate individual user accounts for each employee. Individual accounts are a smart way to hold each employee accountable for his or her actions on various networks and activity within sensitive files.  Additionally, consider placing limits on what information users can access.

By following these eight guidelines, you’ll have a solid foundation for creating secure information systems for your small business environment.  Furthermore, additional education such as an online information technology degree or information systems degree can better prepare you to understand and prevent information security threats. “Pairing a Master’s degree in IT security with current certifications, not only gives the potential employer a top-notch security expert, but says that as a security specialist, ‘I understand the impact that security decisions have across the organization, not just at the point where our network connects to the internet,’” says Danette Lance Ph.D., dean of business and information technology at American Sentinel University.

With your guidance, expertise and education you’ll help create IT best practices that position the small business for operational security and long-term success.

Tagged as