Security on a tight budget

I need to know where to spend our security budget. Hardware firewall, encryption, something else?

We are struggling financially so we need to get the most security protection with the smallest investment (<$5000). I will award the points to the comments with explanations on why your suggestion would be the best solution. Specifics are below.

-      SBS 2003 with Exchange enabled
-      10 client pcs
-      1 Windows Server running accounting software
-      Using Built-in SBS firewall
-      No hardware firewall
-      Symantec Endpoint Protection without the Network Threat Protection
-      Symantec Mail Security for Exchange

We have outsourced our accounting functions, so now the accounting server is being accessed remotely with RWW and more financial data is going over the internet. Plus, because we are emailing scans of invoices, credit cards etc. to the accounting firm, sensitive information is being saved locally on client PCs.

Thank you in advance for any ideas/suggestions you can give me. Please let me know if you need more information.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

connectexConnect With a Mentor Commented:
One good or bad thing about EE. Lots of opinions and you get to decide. Oh yeah! But I'm going to say the following. Assuming you like and want to continue with the SBS product suite. SBS 2003 is the last to include a software based firewall. So plan for the future, and add some solid edge production now. Remember you don't have to fight inside what you stop at the edge of your network. I've been using SonicWALL's TZ product line for 5 years now. They are a complete and cost effective edge solution. A comparision of  the TZ lineup is available here: I recommend going with at least the comperhensive gateway security suite (CGS) on the device. The TZ 210 with CGS should be around $1100. But I think a TZ 100 or TZ 200 is more likely. Also unless you know firewalls quite well, I recommend having someone else assist with setup and installation. Remember a $5,000 security device that's improperly configured is as good as paper weight. Also these units also have wireless options for $100-$200 more. You can use WPA2-PEAP via NAP on your SBS system to create a clean and secure wireless access. And you'll still have money to do other things. But edge first in my opinion.
Cliff GaliherConnect With a Mentor Commented:
This is an easy one. Spend a grand to get in a security expert to come in, make a plan, and help you implement it. They should be able to do so *easily* with the remaining $4k. If you aren't a security expert and you have financial records going over the wire and on client PCs, you should not trust any advice from EE.

To use an analogy, I am a auto hobbyist. I like working on and restoring older vehicles. I don't mind going to websites and seeking advice.

If I had a particularly tricky project on a vintage Corvette, I'd get an expert. The risk of damaging such a fine vehicle is too great. If I ran a security company, I'd not try to fix the armored vehicle that picks up money in my own garage. The risk to my company is too great if I did it poorly. Some things just require a skilled (paid) specialist. cost of doing business.

Kris MontgomeryConnect With a Mentor Commented:
Setup an Untangle box, which will include many features that you need.   Firewall, web filtering, etc.  Do it yourself, it's free.  

Get rid of Symantec.   Use Comodo Antivirus for free (for business and personal computers).  It will take a bit of configuring, but your computers WILL NOT get infected if it is used properly.

Get one license of Exchange aware antivirus:

With the savings below, get a great backup process and software... SOS Online Backup or Crash plan depending on your needs.  Or a $10/month unlimited webhosting account with FTP ( and use a free backup software for everything.   Slow, but nearly free.


Safe network, safe endpoints, safe data.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Echo the prior comment.
If you are emailing, email encryption should be used to secure the information within the communications.
S/MIME encryption/PGP etc.
Kris MontgomeryCommented:
Secure Email...  I am not in love with Comodo.  They do just it good and cheap.

Kris MontgomeryCommented:
I don't know why my writing skills are so out-of-whack today. See posts above. :)

The free backup software I would use is Cobian Backup if backing up to FTP sites or backing up on-site to small RAID backup devices like the Netgear ReadyNAS ($250).  Otherwise, the alternative is Online Backup using their software.   There are a lot of options out there.

Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
I like cgaliher's comment, but I'd probably say it a little differentily...

While you can take whatever you're told here as an idea, at the end of the day, you'd probably get a better solution from a paid consultant who specializes in security.  You'll get better answers from a person who can come into your environment, run a questionaire by you, review what you have, what you need, and what you're doing, and provide a solution that makes the most sense based on your unique requirements.

Suggestions here can be brought up to such a consultant - "what do you think abou this..." and the consultant's proposal can be posted here and you can ask for our thoughts on it... but again, for the BEST advice, the security experts need to see your systems.
menageriekeeperAuthor Commented:
Thank you for the quick responses!

cgaliher- I do have some calls out to talk to a couple of security firms in town. But, I also wanted to be able to have an idea of what they might be telling me. I want to make sure I can distinguish truth from salesmanship.

muganthony - we just renewed Symantec, so that one will stay for a while, but I will look into Comodo. I have never heard of Untangle. It looks interesting, but how hard to setup and maintain? Unfortunately, IT is about 1/4 of my job, so I need low maintenance if possible.

arnold: prior comment, does that refer to mug or Cliff? Do you have a recommendation on email encryption software?
menageriekeeperAuthor Commented:

I think we were typing at the same time. You said exactly what I was thinking. I do like the idea of posting the proposal for comment.

arnoldConnect With a Mentor Commented:
Referred to Cliff, but Mug's is an option.

I think most email clients these days, outlook, Thunderbird, etc. have the capacity to use a certificate to exchange certificates and send encrypted emails PGP is another option that I think integrates into most of those email clients.
I.e. have the party to whom you are sending the information provide you their public certificate which you will use to encrypt the email to them. Since they have the private portion only they will be able to decrypt the message.
Larry Struckmeyer MVPConnect With a Mentor Commented:
Hmmm.... I might first look at the version of SBS itself.  Don't  know the time period for the budget, but SBS 2003 is approximatly 10 years old.  Newer software has better security by design.  Can' tell you how to rank that into the others, but I think I might be able to work out a budget that allowed SBS to be upgraded and sill allow for the firewall and encyption, depending on the hardware you have.

After (or maybe before) all the firewalls and anti - this an that's, all the encryption and the rest... consider Auth Anvil from Scorpion Soft to protect the network from unauthorized intrusions.  I don't work for them, I know them, and respect them, but get  nothing out of your purchase.  But you asked about security.
naughtynatConnect With a Mentor Commented:
Similar thoughts to connectex

Fortinet 50B - Hardware firewall (Unified Threat Management) so this does scanning of emails/ftp/http etc to help remove risks before the enter the network. I think this is probably similar to the TZ210. Cost probably $700 including 1 year maintenance. About $900 for wireless option if required?

Security Expert - IT experts are often not security experts. Security Experts are usually enterprise people and use to doing setup of much bigger than 5K and might tell you all the stuff you need to have that you cant possibly get budget for. Ask around to see if you can find one from business assoicates.

I think Symantec Endpoint is a good product. We use it everywhere and dont have many issues.

I usually get ISP to do Mail Filtering (SPAM & Virus) as another level of protection.

Instead of emails maybe a secure FTP site could be a better option (but this might be too difficult of inefficient). Something to discuss with security expert as they will get to understand better how the business operates.

MAIN THING: Make sure you educate your staff as to what security is in place, why it is in place, and how that protects their jobs! No good having loads of security and then have some staff bypass most of it by bringing their laptop which has no AV, loaded with spyware and P2p software etc on it and using it on your business network.

UNKNOWN: You are outsourcing your accounting work which has confidential information. Make sure you know what security they have in place as well. No good you doing everything you can and have the contractor let down the team.

You security is only as reliable as your weakest link. And that is where the security expert or IT Expert with solid security experience is going to help in looking at the problem in a holistic way.
Kris MontgomeryCommented:
An Untangle box is very easy to configure and support.  Use an unused box and add a second NIC.  Install the software, turn it on.  You can access the web interface from another computer.  Pick and choose the components in your virtual rack.  The free version comes with everything you need.  Other components can be added for purchase.

I would add that once you set up everything, cheaply, that is, then just have a consultant come out for vulnerability scanning, etc.  I am positive that anything options we all have suggested will work fine for you.

menageriekeeperAuthor Commented:
Thank you everyone for your input. Everyone gave me some unique information. So, I am going to award points to everyone, by how much it helped me. I hope that is okay with everyone.

connectex: I think the multiple opinions is good, but you’re right, sometimes it is hard to tell what is best for your situation. Thank you for the information about SonicWALL and the suggestion that if you don’t know firewalls, have someone assist you. I was feeling a little bit of a wimp because I was afraid to tackle setting up the Symantec one.

naughtynat: Thank you for the reminder about educating staff. It is something you always hear, but seem to forget to implement. And, I will check with the accountants. It would probably be good to know what they are doing for when I talk to the consultant.

fl_flyfishing: I will look into the upgrade. 2003 is still working well, I would rather put my energy somewhere besides an upgrade. But, your point is well taken. Also thank you for the link to Scorpion Soft.

arnold: thank you for the email encryption information. I was thinking it would be more difficult.

muganthony: I appreciate your do- it-yourself information. If I had a little more time and knowledge, I would probably go that route, but I think it is definitely safer if I take the advice of others and get a expert in here.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.