In a large enterprise with a fully-staffed IT department and individuals specifically tasked with IT security, protecting the network against attack has become institutionalized. It’s taken for granted that it is a necessary function, and hopefully, policies and rules are put into place to also provide education to end users on how to minimize risk. Smaller businesses don’t always have it so good.

Managers at SMBs too often suffer under the delusion that putting in a firewall and some anti-virus software will solve all of their security problems. And facing tight budgets, these smaller companies are not putting the money they need to into more complete security environments.

There are two things a small business needs to do: First, understand that security goes beyond firewalls and antivirus software; and second, make personnel aware of security policies and the reasons behind them. A new white paper, “Security threats: A guide for small and medium businesses”, starts out by giving us a worthy reminder that SMBs flourish not only on revenue growth, but also on loss prevention. One big attack could wipe out a small company’s profits completely.

The threats facing SMBs are very real, and increasingly, attackers are becoming much more focused. They don’t just pick on the big boys any more, and so it’s important to understand precisely what these threats are. The number one threat of course, is malicious Internet content, like viruses, worms, and other types of malware, often introduced through email or by using a social engineering attack. But it doesn’t stop there. SMBs are often very reliant on laptop computers and other types of mobile technology, including USB sticks, and attacks on physical systems also account for major losses every year. Some of this physical threat can be mitigated just by good policy, including securing the server room.

Authentication and privilege attacks also pose a real threat, and proper password policies must be created and enforced. In cases where tight security is appropriate, two-factor authentication is best; also, policies must keep on top of obsolete passwords, and passwords attached to people that are leaving or have left the company. Finally, another threat for the SMB to consider is the possibility of denial-of-service, and this can be addressed by eliminating single points of failure whenever possible.

The SMB can start with anti-virus at the desktop and a firewall, but shouldn’t end there. Endpoint security is necessary, but must be supplemented with gateway-level security to ensure that the malware attacks don’t even get into the network. The endpoint security just acts as a failsafe. Combining the technology with good policies and a broad level of security awareness throughout the organization will help the SMB keep those losses to a minimum.