Security rules for SMEs to follow

With the increased power and efficiency of modern-day IT systems has come an upsurge in security breaches and activity focused on illicitly obtaining data from these systems. This executive summary outlines a variety of security rules SMEs can use to design a robust IT security policy to help minimise their likelihood of suffering a serious data breach.

Identify your most valuable IT assets

When formulating your data security policy, it is important to identify the assets (equipment and data) that are most valuable to your company and then determine which of these assets are most essential to the functioning of your business. One way to do this is to ask yourself which IT assets would it be hardest to run your business without.

Once you’ve identified your most valuable IT assets you should analyse them for vulnerabilities to help you devise an overall IT security plan.

Analyse your most important IT assets for vulnerabilities

Run a series of tests to determine how vulnerable your most important IT assets are to being exploited.If you need help performing the testing, automated programs for this purpose such as network vulnerability scanning applications are available online, or you can have your IT support firm perform the tests for you. Any vulnerabilities discovered in the testing phase should be corrected to ensure maximum system security.

Create a documented security policy

The best security plans in the world will come to naught if your employees don’t heed them. Crucial to this process, especially as employee count rises, is to create documentation explaining your security policy to your staff. The documentation should cover all aspects of your security policy so that it is clear to employees what is expected of them.

Install a firewall and test it regularly

A firewall is designed to prevent outsiders from accessing your private network. Enterprise connections should be shielded from cyber attack by a firewall that performs stateful packet filtering at minimum. To keep costs reasonable, SMEs should consider utilising appliance-based firewalls or consulting with a managed services provider (MSP) about outsourcing their security needs.

Protect your email server system with anti-virus software

The most common source of security breaches involving SMEs is email, typically via links clicked on by unwary employees. Your email server should be protected by a commercial antivirus (AV) solution, either in the form of a hardware appliance or software installed on your equipment. Multifunction appliances can be good for SMEs because of their reasonable cost, solid protection, and the ease with which they can be set up, configured and maintained. However, they aren’t as scalable or easy to adjust when necessary as AV software.

Companies with more complex networks will typically be better served by network AV software or high-end appliances. An IT consulting firm can help you install and provision your AV solution if your company lacks the in-house expertise to do so.

Follow security procedures when disposing of old technology

To ensure that any confidential data kept on old computers, servers, or mobile devices is disposed of properly, make sure that destruction of the hard disk takes place rather than simply throwing a device away.  

Use robust password security procedures, especially when allowing remote access to your data

To some degree, your enterprise security is only as good as your password security. Even the most robust of firewalls won’t help if outsiders are able to gain access to your network via compromised passwords. Any remote access you provide should only be enabled via complex, difficult to decipher passwords.

Verify your website uses the latest intrusion detection solutions

Publicly available websites are by nature exposed to a variety of threats, including DNS (denial of service) attacks and unwanted intrusions. Every company website should at the least comply with vendor-provided security provisions to deter intrusion.  

Restrict access as appropriate and monitor employee behavior for potential security risks

Your IT security policy should specify which employees have access to sensitive parts of your network as many data breaches, upon further investigation, are determined to have originated from employees who had access to the network.

Use encryption for laptops/tablets

The use of laptops/tablets presents inherent security risks, requiring a robust security policy to reduce the likelihood of a security breach. One way of accomplishing this is to require employees using such devices for company business to use encryption.

Enable remote wipe facilities for mobile phones

If mobile phones or tablets fall into the possession of outsiders, remote wipe facilities are essential to prevent the data on those devices from becoming compromised.

Establish help desk and anti-phishing security policies

A source of a significant number of security breaches is “social engineering,” which refers to attempts by attackers to get company personnel to provide valuable data such as password information by pretending to be a customer or employee. Establish identity verification procedures to make it as difficult as possible for this to occur.

Another frequent source of security breaches are phishing emails, where attackers send emails which look legitimate to gain access to sensitive company data. Your security policies should include measures to prevent such email phishing schemes from compromising vital information or costing your firm money.


SMEs can significantly improve their IT security profile by consulting the rules listed above as they design their security policies. Make sure to review your security plan at least yearly to verify that it has kept pace with any advances in technology that have occurred since the last review.