Statistics suggest that between 43 percent and 70 percent of cyber-attacks are aimed at small businesses. The average cost to a small business in 2017 was $2,235,000. Up to 60 percent of small businesses shut down within six months of an attack, as they simply do not have the infrastructure to survive the financial losses.

Security solutions for SMBs are sometimes a grudge purchase. The below graph shows why SMBs are targeted by cybercriminals — without security, they are sitting ducks!

IT security controls used by small business in the United States as of March 2017 (Source: Statista)

Can Free and Open-Source Software Work for Your Small Business Security?

While free software won’t always give you as many features as paid solutions, small businesses with few assets may not need more than the basics. Why pay for overkill? In fact, bloated products may slow an SMB’s system and can be complicated to administer, perhaps even requiring a full-time person to manage.

The below products have been chosen because they are free, easy-to-use, have a GUI (we have excluded command-line interface products) and are free for business use. Always read the licensing agreement to make sure you can legally use each piece of software commercially.

Most operating systems have built-in security features. Your first call is to research how yours works and ensure it is enabled. How-To Geek has the lowdown on built-in security for popular OSes.

In this article, we outline a plan for SMBs to take advantage of free security resources when planning a security strategy and/or before committing to paid software.

[Free] Marine Lowlifes Campaign KitMarine Lowlifes Campaign Kit

You don’t need an unlimited budget or dozens of hours to create a truly engaging security awareness campaign. You just need the right resources and a playbook.

[Download] Free Security Awareness Kit

Perform a Risk Audit of Key Assets

If you don’t know what you have, you can’t protect it. Asset management software helps you to track, manage and inventory key assets.

  • Snipe-IT: Free (self-hosted) and paid plans include GitHub support and unlimited users and assets. GNU license.
  • Reftab: Easy-to-use tool with a surprising number of features in the free version (for one user and 50 assets). EULA.

Identify Security Vulnerabilities

Now you need to identify any obvious network vulnerabilities, which you will need to address even before you create a security plan.

  • Privacy Impact Assessment (PIA): PIA is a complex process and can be costly, but infringement of the laws around Personal Identifiable Information (PII) and GDPR will cost even more. You can customize a downloadable template from Privacy.org to get started. Small businesses should also have a policy for privacy in the workplace.
  • Web application scanners
    • Arachni: An open-source vulnerability scanner that, unlike many open-source tools, boasts Windows, Mac and Linux portable packages. It has a comprehensive support portal and you can export scan results to xml. EULA.
    • OWASP’s Zed Attack Proxy: A powerful Web scanner, popular with experienced pentesters, ZAP is extremely well documented and easy to install for most platforms. Apache 2 license.
    • Qualys FreeScan: Scans for vulnerabilities and malware threats. Usage: “FreeScan is a free vulnerability scanner and network security tool for business networks. FreeScan is limited to ten (10) unique security scans of Internet accessible assets.”
  • Endpoint scanners
    • Shodan: Can quickly identify any unprotected Internet-connected devices on your network.
    • Angry IP Scanner: An open source network scanner and mapper, Angry IP Scanner scans all your ports and IP addresses. GNU license.
    • Nmap: Popular network discovery and auditing tool that is intuitive to use and extensively documented. A staple in many professional ethical hackers’ toolboxes. NPSL.

Identify Your Security Requirements

At this stage members of your IT team and other relevant stakeholders, having plugged any urgent holes in your security, should sit around a table and list, in order of priority, areas in your business that need to be secured.

This article from the Australian Cyber Security Centre is a conversation starter and checklist for businesses to analyze security protocols currently in place and identify areas that are not protected. This guide describes each security tactic and why a business would need to use it. Does your company have policies to restrict admin privileges? Is email content filtered, including attachment types? Do you use or need multi-factor authentication?

Draw Up a Plan of Action/Security Project Plan

Having a plan provides a timeline for implementation and details of the processes that need to be carried out, and identifies tasks, linking them to the responsible user. It also encourages buy-in from staff and will assist you in developing a formal security policy. The ones below support Web, Windows, MacOS, Linux, iOS and Android.

  • Trello for Teams: Popular software that allows unlimited “boards” and users, and 10MB attachments. It gives users, not just project managers, control over their tasks. EULA.
  • Bitrix24: Classic project management software with traditional Gantt charts. Allows unlimited projects, up to 12 users and 5GB online storage. EULA.
  • MeisterTask: Supports ideation mind maps. Allows unlimited users and projects, and 20MB attachments. (Contact for licensing details)

Software for $0 Budgets

You have a plan. Now you need the software to put it into action.

Network Protection and Intrusion Detection System (IDS)

  • PacketFence: An open-source network access control (NAC) solution. Features include: role-based access control, guest access, network firewall, IDS, compliance, device management and malware protection. Support is limited to mailing lists. GNU license.

Virus and Malware Scanners

It is not difficult to find free antivirus and anti-malware software on the Internet. Even the big names in security protection have a free offering. Unfortunately, most are not licensed for commercial use. We have sourced a few options from award-winning vendors that are.

  • Comodo Free Internet Security Software: Based on prevention rather than detection, uses cloud-based protection to isolate suspicious files, and boasts an integrated firewall to limit applications’ access to the Internet. EULA.
  • Security Essentials for Windows 7: Real-time malware protection and on-and offline scanning. Free for commercial use on 10 devices. EULA.
  • Nano Antivirus (Windows): Real-time protection of all types of malware. Unlimited usage for businesses. EULA.

Note: Windows Defender ships with comprehensive virus protection for versions 8.1 and up. MacOS uses XProtect.

Endpoint Detection and Response (EDR)

  • cWatch EDR from Comodo: Billed as “the world’s first free EDR,” cWatch almost seems too good to be true, but it’s real. It offers protection for unlimited endpoints and 24/7 support. Provides a recommended security policy, which is used to create customized attack notifications and alerts. Some potential downsides: Data is only retained for three days, as opposed to 30 days for the Premium version, and the license is for one year so there is no guarantee Comodo will renew it.

Virtual Private Network (VPN)

A VPN is essential software, but free VPNs are often limited by location, speed or data restrictions. However, the real problem is that your data may be at risk by unscrupulous vendors. Some experts call VPNs “a privacy nightmare.” There are exceptions that rival paid solutions:

  • Open VPN Connect: A full-featured popular VPN using AES 256-bit encryption. It has extensive documentation and community support. Forward Secrecy (FSA) ensures that even if a session key is compromised, only data specific to that session is at risk; past and future communications are secure. EULA.
  • SoftEther VPN: A worthy competitor to OpenVPN, SoftEther tests suggest it’s even faster. It is platform-agnostic, easy to install and includes extensive documentation. GNU license.
  • tinc VPN: A mesh VPN is recommended for businesses that have multiple servers on a shared network. tinc enables dynamic mesh routing but it can be complicated to set up. There are installers for most platforms. GNU public license.

Tip: Keep an eye on WireGuard, which is still in development but promises to be faster and leaner than other popular open-source VPNs.

Password Managers

  • passbolt: Open-source, user-friendly password management designed for organizations, it allows teams to share passwords but have private keys. Still under development, it lacks a few features of more established products, e.g., password export. Try the demo before you download it. GNU license.
  • KeyPass: Lots of features, from password generation and import/export capability to multiple user keys and group key support. GNU public license.

Browse more open-source business software at SourceForge.

The Hardest Part: Devise a Unique Security Policy for Your Business

Grab some templates from template.net to use as guidelines for creating your own security policy.

Humans, the Weakest Link

The Effect of Human Negligence

According to insurance company Willis Towers Watson, human negligence accounts for 66 percent of cybersecurity breaches. The 2017 Verizon Data Breach Investigations Report said 81 percent of “hacking-related breaches leveraged either stolen and/or weak passwords.” While these statistics reflect the effect of user negligence, it also suggests technology, together with security awareness programs, can help mitigate human error.

Security Awareness

Security Awareness Training

Quoted in an InfoSec Institute article, Alex Stamos, one-time Facebook CSO, said users should not be the only ones to take responsibility for data security. “This modern world of technology is full of tight ropes and for the most part, we have not put any safety nets under those tight ropes,” he said.

The safety nets he refers to are security awareness training programs. InfoSec Institute suggests organizations should develop custom programs for everyone with an email account or on the company’s network. AwareED and PhishSIM are two tools organizations can leverage to create role-based awareness training programs for employees with diverse roles, from CEOs to front-of-desk.

Using Technology to Help Prevent Cyber-Attacks

Security software is not out of reach for companies even with strict budgets. The free software applications we’ve listed here can help businesses to test new technologies and customize their lines of defense. Technology can harden system security, and together with security awareness training, provide a safety net against human error.

[Free] Marine Lowlifes Campaign KitMarine Lowlifes Campaign Kit

This free security awareness kit comes with training modules, email templates, posters, infographics and more!

Seriously! Get This Security Awareness Kit for FREE!

Products and Services

  1. Asset management software, freshservice
  2. Snipe-IT open source asset management, GROKABILITY, INC
  3. Easy asset management software, Reftab
  4. Open source vulnerability scanner, Arachni
  5. OWASP’s Zed Attack Proxy, OWASP
  6. Qualys FreeScan, Qualys
  7. EBrowser for endpoint scanning, Shodan
  8. Opswat’s MetaAccess, Opswat
  9. Angry IP Scanner, Angry IP
  10. Kaspersky Free, Kaspersky
  11. Eset online scanner, Eset
  12. Open VPN, Open VPN
  13. Trello, Trello
  14. Bitrix24, Bitrix24
  15. MeisterTask, MindMeister
  16. PacketFence, PacketFence.org
  17. Nano Antivirus, Nano
  18. cWatch EDR, Comodo
  19. Open VPN Connect, OpenVPN
  20. SoftEther, University of Tsukuba
  21. tinc VPN, tinc
  22. WireGuard, WireGuard
  23. passbolt, passbolt
  24. KeyPass, KeyPass

Sources

  1. Cybersecurity Statistics Every Small Business Should Know, CyberDot
  2. IT security controls used by small business in the United States, Statista
  3. Free CyberSecurity Tools: The Ultimate List, CyberX
  4. Do Non-Windows Platforms Like Mac, Android, iOS, and Linux Get Viruses? How-To Geek
  5. Template – Privacy Impact Assessment Report, Privacy.org
  6. Cyber risk: it’s a people problem, too, Willis Towers Watson
  7. 2017 Verizon Data Breach Investigations Report, Verizon
  8. 7 Security Policy Templates, template.net