Jellyfish for
Small to Medium Enterprises

Small businesses should install antivirus and anti-spyware software on every computer used in their business operations. This needs to be updated regularly in accordance with vendor specifications.

Small businesses are more exposed to threats than personal computers and networks. Businesses should install and keep operational a hardware firewall between their internal networks and the Internet. The firewall function may be provided by a wireless access point or router installed by the small business or by a router operated by the Internet Service Provider (ISP) of the small business.

The vendors of major operating systems generally provide patches and updates to their products. These correct discovered security problems and improve functionality of the software. Patches should be applied to business systems regularly and installed on all new systems and software.

Copies should be made of all data including word processing documents, electronic spreadsheets, databases, financial files, human resources files, accounts receivable and payable files, and other information used in or generated by the business. This will prevent loss of data when there are equipment failures, employee errors, or destruction of data by malicious code.

Small business owners who use wireless networking should set the wireless access point so that it does not broadcast its Service Set Identifier (SSID). When new devices are acquired, the administrative password that was on the device when it was purchased should be changed. Strong encryption should be used so that data being transmitted between the businesses’ computers and the wireless access point cannot be easily intercepted and read by electronic eavesdroppers.

Unauthorised persons should not be allowed to access or to use any business computers, including laptops. Computers should not be available to access by cleaning crews or by unsupervised repair personnel. Employees working at their computers should position their displays so that they cannot be seen by people walking by an office or by unknown strangers who may walk into an office.

A separate account should be established for each individual computer user, and strong passwords should be used. Passwords should be changed at least every three months. The employees’ individual accounts should not have access to administrative accounts to avoid the installation and spread of unauthorised software or malicious code.

Employees should be trained to use the sensitive business information properly and to protect the business’ and its customer’s information. Employees should receive training on the organisation’s information security policies, including the use of computers, networks and Internet connections, the limitations on personal use of telephones, printers, and other business resources, and any restrictions on processing business data at home.

Access to all data and to all systems, including financial, personnel, inventory, and manufacturing, should not be provided to any one employee. Access to systems and data should be limited to the specific systems and information that employees need to do their jobs. One employee should not be allowed to both initiate and approve transactions, such as financial transactions.