The typical small/medium business (SMB) security process is a reactive process that typically represents something like the following.

1. Something breaks / data is accidentally deleted or goes missing / a computer is infected with malware  or the company website got hacked.
2. The SMB reacts. This typically requires one of the following; Fixing the problem, determining a creative work around or simply realizing nothing can be done so giving up (which might fall into the creative work around category). All of these cost the SMB time and/or money.

So how can the typical SMB reduce the need for costly reactions or be better prepared in the event they need to react to an incident? The simple answer is be proactive about their business related technology risks. Here are a few more detailed recommendations.

Reduce Ignorance to Technology Dependence:

Many SMB’s utilize technology to reduce costs and increase productivity, but many do not understand that with these benefits come some pretty serious risks. Do the following exercise to better understand your technology dependence. Essentially you are doing the reactive work ahead of time.

1. Walk through your businesses typical day outlining business processes such as ordering, payroll, payables, customer service, and sales.
2. Write down the pieces of technology that are required to make these business transactions happen.
3. Imagine what the day would be like should each one of those technology advantages be missing, unavailable, perform poorly, etc.
4. Write down any low-tech alternatives you may have (such as manual credit card transactions, using that really ugly and cumbersome imprinting machine, hey it works!)

This information will help you understand some of the major risks to critical business processes, sure you will miss some, but you will be better off than when you started.

Adopt Automated / Managed Systems:

Sure these come with their own set of risks, but automated systems implemented properly can save a SMB a lot of headaches and even prevent some incidents from happening. Here are a few examples;

• Offsite data backups
• Antivirus / Desktop firewalls centrally monitored and controlled to ensure updates are applied and network policies are enforced.
• Near real time integrity monitoring of company website
• Managed services for weekly/monthly/quarterly, proactive checkups of systems (let somebody else worry about it).

Do It Over Again:

Environments change and with that your plan should evolve. Consider reviewing the assessments, planning, and systems you have put in place over the course of the past year. Adjust them to fit your current business strategy. Remember technology should enable business and ignoring your technology based risks won’t make the risks go away and certain won’t make enabling your business any easier.

Every so many years the paradigm shifts from internally hosted content and applications to managed services and eventually finds it’s way back again. Back in the 90’s application service providers were all the rage and quickly diminished with the dot com boom. Today that shift is back and is moving towards “cloud computing.”

One popular aspect for consumers of cloud computing is Software as a Service (SaaS). These services are typically a subscription based service that run on a pay by use or time based schedule. This is great for businesses that want to adopt a technology quickly and consume low overhead. These services are increasingly allowing small businesses the opportunity to compete with large corporations where they were not able to in the past. Technology can be a great equalizer, but just below the surface of some services can loom hidden cost and risk.

Consider a credit union that nGenuity recently consulted for. The banking application they use that allows them to do all critical banking transactions, is a hosted application. This application is accessed over the Internet via a Virtual Private Network (VPN). This is a great solution for them, or at least they thought so up until it stopped working. In a blink of an eye every business transaction at that credit union stopped. Even though there was money in the vault, they couldn’t give it to customers because “the computer system was down.” This does not make for happy customers. The question they forgot to ask, like so many companies, is “what do we do if this doesn’t work?”

Let’s take a look at a few ways you and your business can avoid getting into the same situation

Critical Business Functions:

Identify the technology and resources your business requires to do critical functions. This exercise will be a lot easier for smaller businesses than larger ones. In each business, as more technology, staff, roles and functions are added, the more complex the dependency matrix becomes. A third-party that knows and understands the risk that technology can bring to businesses can help quickly rank risks and identify ones that may be missed by the inexperienced professional.

Service Level Agreements (SLA):

Whenever you lose control of your information and/or infrastructure to a third-party, always have the proper service level ageements in place. 100% uptime (while not impossible) is impractical and hard to achieve most of the time. Realize that the service will fail and be unavailalbe sometimes. Make the third party responsible for that downtime. This compensation should be proportional to the loss your business will receive due to the down time. Consider lost customers, income, and productivity as some of the metrics when calculating this value. You have to motivate that third-party to give you stellar service and the only time to do this is before you buy the service!

Business Continuity Plan (BCP):

Write down the process for doing business when the technology or resources to support those critical business functions fail or are unavailable. Make this process as simple and straight forward as possible. Do not stop there. Train and enable your employees to handle these situations without the aid of management or somebody technically trained. Finally run mock scenarios (fire drills) to give your businesses added confidence in being able to handle a disaster.

“If we hear, we forget; if we see, we remember; if we do, we understand. ” –Proverb

It all starts with asking the simple question “What happens if this breaks and we can’t do business?”