Small-site Information Security on a (very loose) shoestring - a case study

Large corporations recognize the need to invest manpower, time, and money managing their system and network infrastructures. Most of these companies have also recognized the value in focusing specifically on information security to protect and manage their assets, secrets and reputations. Unfortunately, this same understanding of the need and value of information security is not seen at a significant portion of midsize and smaller companies. This may be because of the perceived cost and/or complexity, management attitudes, or simply a lack of knowledge. This lack of understanding puts all Internet users at increased risk of attack or compromise. This paper will describe one such smaller company and the state I found it in when I joined it. This will be followed by a review of corrective actions (and their limitations) that significantly enhanced the overall security posture.