What's the best way to secure your small or midsize business?

Unlike large enterprises, which typically hire IT professionals who specialize in one particular security discipline, the security role at smaller companies often requires someone who can play "security jack of all trades." This rough-and-ready approach necessitates maximizing security automation and prioritizing top threats, so a small team can truly and effectively risk-manage security for an entire organization, perhaps part-time.

And unlike large enterprises, small and midsize businesses have relatively few employees devoted to information security; many rely entirely on consultants or vendors. The average small and midsize business also devotes far fewer resources to staying secure. "The smaller businesses typically come to us and tell us they're spending anywhere from 3% to 5% of their IT budget on security," says CJ Desai, senior director for product management at Symantec. By comparison, according to Forrester Research, the average enterprise spends 8% of its IT budget on security.

As those numbers suggest, many small and midsize businesses cut security corners. A study by the Small Business Technology Institute, for example, found that one in five small companies (one to 100 employees) has inadequate malware protection, the majority have no security policies, and many create a response plan only after disaster strikes. Yet small and midsize businesses are just as likely as large organizations to be attacked or targeted by malware.

Given the volume of threats, as well as the scarcity of available time, resources, and on-hand security professionals, small and midsize businesses need an action plan that outlines which security risks they should focus on today, using existing personnel, time, and resources to mitigate the maximum number of threats.

Security experts share their top 10 tips for a faster, cheaper, yet more controlled security program:

1. Target Malware With Automated Defenses
The first line of defense for small and midsize businesses is blocking and eliminating viruses, worms, spyware, and other malware, including Trojan downloaders and keystroke loggers, both on endpoints and at the gateway. Accordingly, deploy anti-malware and filtering software for all e-mail gateways, to prevent malware and spam (which often carries malware) from ever reaching users' PCs. To handle this, many small and midsize companies purchase a so-called unified threat management appliance, which runs multiple security technologies on one device.

Gateway defenses alone, however, will be inadequate. As Randy Abrams, the director of technical education at ESET, a security software provider, notes, "if you take too many shots on goal, something is going to get by." So be sure to install antivirus (aka anti-malware) suites on every laptop, desktop, server, and, preferably, mobile device. Such suites typically also include a personal firewall and host-based intrusion prevention. The advantage of a single suite, as with a single appliance, is easier manageability and updating.

Use administrative rights on PCs to prevent users from tweaking their security suites, "so employees can't just turn off the firewall if IM isn't working," says Ron Teixeira, executive director of the National Cyber Security Alliance (NCSA), a collaborative security, nonprofit, academic, and government security outreach effort.

Also employ this cutting-edge anti-malware technique: Turn all PCs off at night. Not only will this prevent off-hours exploits, but then when users reboot, "their operating system can start over and scan for anything that might be malicious that got in there," he says.