Secure your small-business network without spending a dime

A host of free security measures are ready to come to your defense.

You have a target on your back. In 2012, 31 per cent of cyberattacks were aimed at small businesses, and that staggering number is 100 per cent attributable to inadequate - or nonexistent - security measures at many of these firms, which might as well be an open invitation to hackers.

Now, we're not going to hit you with another eat-your-veggies imperative to secure the computers and networks at your business. We understand that it's all too easy to view security as a discretionary expense.

But what if we told you that there were security controls in the tools you already own that could vastly improve your protection if you just used them? And that you could fill any gaps in protection with free security programs that are every bit as effective as their commercial counterparts?

Below are several ways to fend off cyberthreats. The only investment is your time.

Use what you already have

The quickest--and cheapest--way to beef up your defenses is to understand and employ the security measures you already have at your disposal.

Start with the simple things. Make sure that all your user accounts are protected with strong passwords and that only those employees who need administrative privileges have administrator accounts on their PCs.

Next, take a look at the Local Group Policy Editor in Windows. This power tool gives you granular control over groups of users and computers, so it makes sense that Microsoft placed the utility where people can't easily find it. (One way to find it is to type group in the search field in either Windows 7 or Windows 8. 'Edit Group Policy' should appear as one of the top few options available.) From the Editor, you can set password and account lockout policy, firewall policy, software restrictions, and more. Spend a couple of hours learning about the Local Group Policy Editor, and wield its power judiciously.

Stay up-to-date

Zero-day attacks make for ominous headlines, but the reality is that known vulnerabilities are a much bigger threat. Most attackers don't have the skill or the devotion to ferret out new security holes. Once a vendor releases a patch, though, lazy attackers can reverse-engineer it to identify the vulnerability it fixes and figure out how to exploit that flaw.

The longer you go without implementing an applicable patch, the more at risk you are. You should have automatic updates turned on in Windows, as well as in any other applications you use that offer such a function. If you can't take advantage of this feature, you'll have to make a serious effort to stay informed about new updates and test and apply them as soon as they're available.

Supplement with free security tools

Once you've exhausted all the resources you have on hand, it's time to explore outside options. Some of the best security tools available are free and can go toe-to-toe with features offered in big-brand security suites. Here are a few to get you started.

Microsoft Security Essentials: Windows 8 includes Windows Defender, but prior versions of the operating system didn't come with antimalware protection. If you need to protect computers running Windows XP or Windows 7, you can download Microsoft Security Essentials to get comprehensive real-time protection gratis.

Cain and Abel: Using network-packet sniffing, dictionary attacks, and a variety of other methods, Cain and Abel captures and cracks passwords. You can use this handy utility to reveal vulnerabilities, determine whether your policy requirements are secure enough, and recover passwords, which is its primary function.

Aircrack and Kismet: Want to know how secure your wireless network really is? Try Aircrack or Kismet. Aircrack captures wireless network traffic and attempts to crack your WEP or WPA encryption. Kismet is a wireless-network detector, sniffer, and intrusion detection system. Both tools are free, and both are highly rated by those who use them.

Nikto: If your business has a Web server, you might want to put Nikto to use. An open-source Web-server scanner, Nikto can help you identify weaknesses that may expose your server to exploits. It scans for outdated servers, specific vulnerabilities, and known configuration errors to help you protect your server from attack.

For a complete list of the best security utilities, visit, which maintains a regularly updated list of the top 125 as rated by the user community. The list includes both open-source and commercial software, but you'll see that many of the most respected tools don't cost a thing.

If you can spare a dime...

If implementing these free options has whetted your appetite, consider investing in some pay software to bolster your complimentary security measures. We recommend the following three open-source tools. All are still available as free versions, but subscriptions are required to unlock their full power.

Nessus is a vulnerability scanner that examines and monitors your network and PCs for more than 50,000 vulnerabilities and potential configuration errors that may expose your systems to compromise. It also includes specific scans to help ensure compliance with regulatory and industry frameworks such as HIPAA (Health Insurance Portability and Accountability Act) or PCI-DSS (Payment Card Industry Data Security Standard).

Metasploit is a penetration-testing platform that lets you test exploits against your network and computer-security defenses and applications, to determine what impact they might have and to identify weaknesses you should address.

Snort is an intrusion detection and prevention platform that monitors network traffic to find and identify suspicious or malicious activity.

Cybercrime is costly, but defending against it doesn't have to be. Basic protections are built into the operating system and applications you use every day, and if you support them with free and open-source tools, you can protect your PCs and data without so much as bruising your budget. Who says you can't put a price on peace of mind?

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityopen sourcesecuritypasswordssoftwareantivirusbusiness security

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place