With the U.S. in a recession, many companies are cutting back in order to save costs. Small businesses have been hit particularly hard, thanks to fewer resources and already-tight budgets. And while it makes sense to cut back due to the financial climate, David Kelleher, a research analyst with email security provider GFI of Cary, North Carolina says IT security is one area that should be left alone, or even beefed up, right now. "Security is a cost of doing business, and not an item on a checklist that can be added or removed as needed,†says Kelleher. Consider the fact that the economic downturn has created a "fear factor†that can lead cyber-criminals to hit even harder, with threats coming from both domestic sources and from overseas. In its Annual Threat Report & 2009 Forecast, for example, Cupertino, California-based Trend Micro, says security researchers are seeing virus wars, worm wars, and botnet wars due to increasing competition for financial gains from phishing and fraud. "Look for growing competition between Eastern Europe and China,†the company reports, "to determine which country's crooks will be the first to include the latest exploits in their exploit kits.†While the need for ongoing IT security is clear, it can leave the small business owner scratching his or her head over how to justify the investment in a security tool when the entire company is in cost-cutting mode. The good news, according to Kelleher, is that taking proactive steps to protect your data, and that of your customers and business partners, doesn't have to be expensive. In fact, it can help boost profitability for firms that are proactive about their IT security. Here are six ways to make sure your company falls into that category: Determine Vulnerability Conduct an extensive audit of all security measures in place (that includes all hardware, software and other devices, such as flash drives), and the privileges and file permissions given to all employees. "Event logs are an important, but often neglected, source of security information,†says Kelleher, who advises firms to frequently test the security of the storage environment by checking the network logs, security controls (such as firewalls), user IDs and access logs, to see if anything was discovered and highlighted as a possible security breach. Monitor Activity "Monitor user's activity [all the time],†says Kelleher. For a single administrator, monitoring event logs and carrying out regular audits is a massive undertaking. A more realistic approach is to check the logs within the storage environment, rather than the entire network. "Logs have proven to be a source of great value if a security breach occurs and an investigation ensues,†says Kelleher. "This step allows you to better understand your firm's use of resources, and helps you manage it more effectively.†Control Access This one is pretty straightforward. "Access to data should be given only to those who need it,†says Kelleher, "even if the person trying to get to it happens to be your cousin or the boss's son.†Safeguard Information The use of uncontrolled portable storage devices, such as flash drives and DVDs, puts considerable volumes of data at risk and should not be allowed in an unrestricted environment. "These devices are easy to lose and they can be stolen quite easily if left lying around,†says Kelleher. "In many cases, the data that is on portable storage devices is often not protected using encryption.†Develop IT Policies Kelleher advises all companies to implement stringent security policies with regard to how data is accessed, handled and transferred, knowing that technology alone will not protect a company's data. "Strong and enforceable policies, along with employee and management's awareness of possible breaches, will go a long way towards improving the level of security within an organization,†he says. Employee Education Last but certainly not least, workers shouldn't leave their passwords written on sticky notes and pasted onto their monitors, nor should they divulge information to third parties without authenticating the request first. "The people using and creating the data are the greatest threat and weakest security link,†says Kelleher. "Security is more than just protecting data or placing it under lock and key — it's also an exercise in managing people.†Web Resources: 7 Steps to Online Security Small Business Computer Security Checklist