Tipsheet: Information security on the cheap

In various technology budget surveys information security is always top of the list. But how do you really do it cheaply to save a few bucks.

This topic is a big one. While no CIO will admit he's trying to secure IT on the cheap chances are good that budgets matter. With that in mind, here are some security tips that won't cost you much.

These tips were culled from a presentation last week by Adam Hils, who gave a talk at the Gartner Symposium/ITxpo last week. The tips were targeted toward midmarket companies.

Security steps that'll cost almost nothing:

• Evaluate the patch status of all production systems connected to general-purpose networks.
• Deploy standard configurations on your PCs and servers to reduce vulnerabilities and improve patch deployment success rates.
• Look for ways to standardize your PC environment by classifying users by their need to manage their own PCs. P.S. Locking down everyone doesn't work.
• Negotiate more features with your desktop security vendor when you renew.
• Make sure you have anti-spyware and personal firewalls--and don't pay for them.
• Block all attachments from outside except for those used in business (.zip, .doc, .xls, .pdf and .ppt).
• Limit administrator privileges to administrators.
• Don't allow critical files (customer and employee records and intellectual property) to be printed or downloaded. Any exceptions should be documented and justified.
• Erase all data on the hard drive before recycling or throwing away a PC.
• Disable all inactive accounts.

Inexpensive security steps:

• Minimize benign data leakage by instructing employees of best practices.
• Change passwords on root and administrator accounts; review help desk and password resets.
• Restrict access to USB/removable media points where possible. Apply policy restrictions on others.
• Examine security practices for remote access.
• Block every port that your business does not require to be open.
• Use compliance as a rationale for more security funding.
• Narrow the vendor list. The less vendors you have the more leverage you get.
• Consider security delivered through SaaS, all in one appliances, open source and thin client computing.
• Don't spend money on things you don't need. Examples include: Personal digital certificates, 500-page security policies, security awareness posters, biometrics and passive intrusion detection.