Security tends to be an area that small and midsize businesses know they need to address but nonetheless leave unattended. There's always something more pressing on the priority list.

The bad guys love those companies.

Sure, there's no such thing as foolproof security. But time and budget limitations shouldn't keep smaller businesses from securing their information. Not taking at least basic steps toward real IT security can lead to a series of technology-borne plagues: your website starts moonlighting as a malware factory, your hosted phone system becomes someone else's call center for a weekend, your finance staffer unwittingly turns over banking credentials to a hacker. Any or all of the above can damage the company's reputation and its bottom line.

So what's the lean-and-mean SMB to do? Rick Carlson, president of Panda Security, notes that there's no one-size-fits-all approach. Panda focuses on smaller customers, and the vendor recently released the latest version of its Panda Cloud Office Protection service. It's in Carlson's job description to be a bit biased on the topic: "The client-server architecture is dead," he said in an interview. But he does offer up four fundamentals for SMB owners and IT pros to keep in mind, regardless of what tools or applications you favor.

Embrace the holistic view. Security is no longer an office-and-desktop paradigm. Once upon a time, an IT administrator could secure the physical office's network and its endpoints and sleep well. Those days are gone--the mobility boom and the related virtual workforce requires a different thought process.

Carlson himself spoke to me from his home office where he works one or two days each week. "The workforce is changing," Carlson said. "It's no longer enough to lock down your specific network because you've got machines coming on and off the network constantly. The challenge now for IT administrators at small businesses is to protect those machines regardless of where they are." Easier said than done--read on for the "how"--but Carlson said it's the underlying philosophy that SMBs need to adopt. Otherwise, no number of tools or policies will get the security job done.

Have a staff security policy and train people on it. Carlson said that a written security policy for employees and corresponding education program for new or current team members is a crucial yet straightforward step that most SMBs overlook. Big mistake: "No matter how good the security is, the human being that is sitting behind the machine can always override that security," Carlson said. "Nobody's immune: the hourly or part-time right on up to the president or CEO."

It's a low- or no-cost process that doesn't have to eat up much time. Carlson advocates working with HR or the business owner to put something in place. The program should include employees signing a document that they understand the policy and are on board. "It's free other than the IT administrator's time, and they'll probably make that up by fighting a few less viruses," Carlson said.

Use automated security tools that actually do what you need them to do. It sounds like a "duh" moment but it bears remembering: When you choose your security weapons, choose wisely. Make sure applications meet your particular business needs; it's likely the case that you'll want a mix of tools.

Carlson noted the increasing importance of content filtering, for example--something Panda doesn't provide--to contend with mutating malware and other Web-based threats. This is where IT pros need to know the nature of their business and act accordingly: Highly mobile or virtual firms might be better suited with a cloud-based approach. Likewise, that same approach might not meet the requirements of a compliance-stricken company. Regardless, Carlson advises time-poor SMBs to look for largely automated tools that don't require much upkeep.

Take a restriction-versus-risk approach. Carlson's a proponent of weighing restriction against risk. "Simply put, the more restrictive you are the less risk you have," he said. Carlson's quick to add that heavy IT regulation won't work for every company, but recommends managing policy on an individual or at least group basis.

If a staffer doesn't need Facebook to do their job? "You may become a hero by restricting access to certain social media sites and time-wasters," Carlson said. The downside is becoming too heavy-handed. "You may create an environment that is too restrictive that stands in the way of people working," Carlson said. Still, the prudent IT manager can make smart choices that strike the right balance.

"You're looking at taking a risk-based approach to security by enabling the better-trained, better-informed employees to have more freedom," Carlson said. "Maybe the lower-level employees that haven't gone through training or don't need those types of accesses--those folks can be subjected to more restrictive roles."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.