A Checklist of Security Measures for SMEs

Risk Management and Security Policy

Risk management requires analysis of the security requirement for each asset (classification according to the feared impact), assesses the likelihood of threats for these assets, and quantifies the ease with which the vulnerabilities of these assets can be exploited.

For very small businesses, this risk analysis is not easy to perform. As a result, this section provides a non-exhaustive list of potential threats and responses to reduce their impact.

If your organisation fears serious impacts, it is strongly recommended that you proceed with a risk management approach and define a security policy and a continuous improvement process. More advice can be found in the article ‘Protecting Your Business’.

Threats to Infrastructure

Infrastructure includes all the essential assets and services on which the information system is based, such as the supply of power, communication or processing services. These services are critical to the operation of the information system and exposed to certain threats (see ‘Threats to infrastructure’):

• Fire
• Service interruption
• Denial of service attacks and distributed denial of service attacks
• Disrupted transmission of wireless communications
• Wireless network tapping
• Interception of communications
• Network access unavailable
• Power cut
• Discontinuity of service providers
• Infiltrating the premises

Threats to Hardware

See the article ‘Threats to hardware’:

• Unusable backups
• Hardware damaged during transport
• Failure of IT or communications equipment
• Insertion or removal of hardware
• Device recovery
• Aggravated theft

Threats to Software

Software is the most commonly used user interface for manipulating information. This interface, which offers a finite but immense set of possibilities, is subject to multiple constraints and multiple threats jeopardising the operation of the organisation, the most acute being malware, which will be addressed in a specific chapter in this document. See ‘Threats to software’:

• Unsuitable software environment
• Use of unapproved software
• Administration impossible

Legal Aspects

Special legal and regulatory provisions must be adhered to by organisations. These provisions involve, in particular, respect for privacy, copyright and the specific regulatory provisions of the industrial sector. See ‘Legal aspects’:

• Unauthorised processing of personal data – Employee monitoring
• Invalid or non-existent licence
• Lack of traceability of operations
• Regulatory requirements

Threats to People

See the article ‘Threats to people’:

• Social engineering/Inadequate communication
• Human error
• Misuse of the organisation’s resources
• Absent staff
• Malicious administrator
• Spam / Phishing
• Third-party use of access reserved for a single user

Handling Malicious Codes

Recommended security measures for countering malicious codes.