No budget to build an IT staff? No problem

CNET@Work: IT troubles are sure to pop up as your startup scales -- not to mention malicious hackers. There are ways to protect yourself, however, without draining your bank account.

Charles Cooper Former Executive Editor / News
Charles Cooper was an executive editor at CNET News. He has covered technology and business for more than 25 years, working at CBSNews.com, the Associated Press, Computer & Software News, Computer Shopper, PC Week, and ZDNet.
Charles Cooper
4 min read
Getty Images/iStockphoto

With technology increasingly intertwined with all aspects of business, CNET@Work can help you -- from prosumers to small businesses with fewer than five employees -- get started.

For malicious hackers, startups and small businesses equal big targets of opportunity.

Half of the 28 million small businesses in the US suffered data breaches in the last year. But many still remain unprepared. About one in three small businesses still don't have basic cybersecurity protections in place, such as firewalls, antivirus software, spam filters and data-encryption tools to defend against attacks that can derail their operations.

While it's hard to measure the return on investment for cybersecurity compared with spending money on sales or manufacturing, be aware that the potential losses resulting from a cybersecurity breach can sink a company by exposing trade secrets, valuable IP and information. 

At the same time, you risk losing your customers' trust as well as souring chances to win their future business. In addition, you may be found legally liable if a security breach winds up compromising customer data. 

And don't assume you can fly under the radar. Startups are incredibly vulnerable to cyberattacks in their first 18 months.

Security on a shoestring

Many companies outsource the job to the many managed security service providers (MSSPs) who specialize in cybersecurity. The downside is that this sort of arrangement can prove costly, especially for a very small operation. What's more, small business owners might be uneasy placing the security of their business operations in the hands of an outsider.

Still, protection doesn't need to turn into a budget-busting proposition and there are proactive steps you can take to mitigate threats in a cost-effective fashion. Here are several low-cost steps to help construct an effective cyberdefense while also managing everything in-house.

Prioritize what's important to you and pull together a list ranking the importance of your assets in descending order. Choose the battles you want to fight based on the risk to your business and the cost. Not all data is created equal and this will help you smartly allocate resources as you build a set of policies and controls around your most critical data.

Audit your computing infrastructure and make sure that important network devices, including routers, switches, firewalls and servers, only perform the specific functions they were acquired to perform. For example, if a Windows server isn't serving a website, it likely doesn't need IIS up and running. Also, you can use Nmap and other open source scanning tools to check whether you've left any unexpected ports open.  

Regularly scan for vulnerabilities. You can find a wide selection of free or inexpensive open source software and other services. Vulnerability scanners such as OpenVAS, network mapping tools (Nmap) -- and even an Intrusion Detection System called Snort – are all available at no cost. One thing to keep in mind: Despite the fact that these products are free, you'll still need a certain level of expertise to implement and manage these systems in an ongoing fashion.

Secure your email with a good spam filter since most attacks originate via email.

Apply security policies: Deny USB file storage, set user screen timeouts, limit user access and adhere to enhanced password policies.

Use the full range of security features and capabilities available in your existing hardware and software. For instance, Windows Firewall is included with every Windows server. While it should not be your only firewall in the network, it can still provide another barrier in a layered defense. Best of all, it doesn't cost any extra.

Are you patching servers consistently? Too many organizations are lax about keeping up when software suppliers issue regular free updates to their products.

Patching also applies to hardware devices. Keeping current when manufacturers issue the newest firmware with fixes and other improvements to hardware will help improve the security of your firewall, switches and Wi-Fi access points.

Check your equipment configurations to minimize the attack surface on any device. This is especially critical for any external-facing components. Turn off any features that you don't need.

Take out cyberinsurance so there's coverage for business disruption expenses, including PR and legal expertise to deal with any fallout from a breach. This helps ensure proper legal protocols get followed and that affected people can be properly informed about the situation.

And lastly, raise employee awareness about cybersecurity. This doesn't cost a thing and it will pay back your time investment many times over. Enlist employees as an extension of the existing security program. Everyone on staff needs to shoulder responsibility for the security of the organization. There's no excuse for bad cybersecurity etiquette, not with intruders trying to break into your company more frequently than ever.

Read more: Never work without a net: Insuring your business

Training vs. technology

Some might argue that training is less important than investing in technology. But if you work on the assumption that employees are always bound to do the wrong thing, they will. 

Make sure they are aware of the potential security threats facing the organization and also know how to recognize phishing emails or social engineering attempts. Put specific policies in place so employees will know what constitutes appropriate use of business equipment. Also, make it easy to report any irregular or suspicious behavior.  

Whichever direction you choose, the goal is the same: Build out a multilayer defense that is going to protect your organization as much as possible and help mitigate the threats. 

If it sounds too daunting to take on, think about the consequences of doing nothing. The bad guys will be coming for you -- sooner or later. You'll help both your reputation and bottom line by being prepared.