Attacks/Breaches
7/7/2010
12:48 PM
Connect Directly
RSS
E-Mail
50%
50%

Security On A Shoestring SMB Budget

As small and midsize businesses increasingly become big targets for cybercrime, locking down their networks cheaply can be a challenge

The e-mail appeared to be an invitation from an old, junior high school friend. Yet when the hospital employee clicked on the link, it instead led her to a malicious site that installed a Trojan horse on her computer. In a little over a week, international cybercriminals used that beachhead to steal more than $600,000 from the woman's employer, according to a terse description of the incident on the Information Systems Security Association’s Web site.

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

"Typically, they say, 'We have firewalls in place and have AV on all the desktops, so I guess we are secure,'" Stahl says. "But today cybercrime is so sophisticated that is not enough anymore."

Between a lack of security expertise and tight budgets due to the economic downturn, SMBs are hard-pressed to adequately secure their systems, networks, and data. Most SMBs don't have a dedicated IT person, never mind a dedicated security person. That's a problem because such businesses might once have been overlooked, but these days cybercriminals are finding them easy prey for schemes that aim to empty their bank accounts.

Yet recent surveys have found that SMBs are increasingly aware of online risks. Security spending will increase in the next year across the globe, with India and China increasing their spending to a greater degree. But even in the U.S. and U.K., security budgets will increase by 20 percent, according to a CompTIA survey.

"Smaller businesses have ignored security in the past, but -- because of some major breaches -- they are more cognizant of what it is today," says Steven Ostrowski, spokesman for CompTIA, a trade association for IT professionals.

For those businesses, security experts say several simple -- and inexpensive -- steps can dramatically improve a company's chances against attackers.

The most important step is that someone, preferably an executive, needs to be responsible for information security, Citadel's Stahl says.

"One of the questions that we ask when we do an assessment is, 'Who is in charge of IT security?' and it's very telling to see how employees give us different answers, which, of course, means that no one is in charge," he says. "So one of the things that we do with the client is find where the buck has to stop."

That's important because executives needs to support IT managers who make decisions. Security does not work if a vice president can circumvent policy just because he or she wants a simpler password, Stahl says.

Companies should also create a policy that guides users and IT managers in their actions. For SMBs, the largest threat is uninformed employees, according to CompTIA's annual study. Most infections these days are through social engineering. Scams such as e-mail messages claiming to be fake UPS or FedEx receipts, complaints from the IRS, or announcements from the FBI can fool unwary workers.

Training and education are key defenses against such tactics, and a well-written and easy-to-understand policy can help, Ostrowski says.

"Even the smallest business can put a security policy in place," he adds. "It does not have to be complex, and you are not expecting every employee to get an CISSP."

In a survey conducted last year, 60 percent of respondents told CompTIA they had implemented a comprehensive security policy. Such policies can help protect SMBs' most important assets: their accounting packages, where all of their financial information resides, as well as their customer lists. In most cases, e-mail and e-mail functionality are critical to their business as well.

"A lot of important business information resides in a business person's e-mail," says Jim Lippie, vice president of Staples Network Services.

In terms of creating a security team, SMBs face the same three options that larger enterprises have: They can do it themselves, outsource security to external consultants or solution providers, or subscribe to a managed service.

For most SMBs, creating your own IT security staff is too expensive. In its SMB services practice, office supply chain Staples rarely runs into even a full-time security person, Staples' Lippie says. About 80 percent of the group's SMB clients use the Staples' group for all of their IT needs. Only 20 percent have an IT person and use the service to augment their own program, he says.

"The point-of-contact usually does not have a technical background," Lippie says.

Companies that eschew a full-time IT administration should make sure their systems are set to automatically update software to close potential vulnerabilities. While some larger companies wait to apply patches to evaluate the impact of the software updates on all of their systems, most smaller businesses have no reason to delay.

"When the manufacturers send out the security patches and fixes, install them right away -- don't ignore them," Ostrowski says.

Staples' Lippie agrees that patching is part of the basic security steps a small business can take to secure themselves. When its consultants install desktops and laptops, it automates the patch process so that clients have a solid foundation of security.

Finally, companies should bring in security expertise, whether though a full-time employees, a consultant, or even as an assessment prior to subscribing to a managed service. For many smaller firms, a cloud service can provide the necessary day-to-day monitoring. Eyeing that market, the larger security firms -- such as McAfee and Symantec -- are creating integrated cloud security services.

"The SMB just wants security to be simple," says Marc Olesen, senior vice president of McAfee's content and cloud security group. "They want the protection, but they don't have the expertise or capacity."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-4514
Published: 2014-10-21
Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via vectors related to the getDebugInfo function.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.