Risk
7/18/2011
06:37 PM
50%
50%

4 Basic Security Steps For SMBs

Time and budget limitations make poor excuses for a lack of security. Here are four key considerations for resource-constrained IT administrators at smaller companies.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Security tends to be an area that small and midsize businesses know they need to address but nonetheless leave unattended. There's always something more pressing on the priority list.

The bad guys love those companies.

Sure, there's no such thing as foolproof security. But time and budget limitations shouldn't keep smaller businesses from securing their information. Not taking at least basic steps toward real IT security can lead to a series of technology-borne plagues: your website starts moonlighting as a malware factory, your hosted phone system becomes someone else's call center for a weekend, your finance staffer unwittingly turns over banking credentials to a hacker. Any or all of the above can damage the company's reputation and its bottom line.

So what's the lean-and-mean SMB to do? Rick Carlson, president of Panda Security, notes that there's no one-size-fits-all approach. Panda focuses on smaller customers, and the vendor recently released the latest version of its Panda Cloud Office Protection service. It's in Carlson's job description to be a bit biased on the topic: "The client-server architecture is dead," he said in an interview. But he does offer up four fundamentals for SMB owners and IT pros to keep in mind, regardless of what tools or applications you favor.

Embrace the holistic view. Security is no longer an office-and-desktop paradigm. Once upon a time, an IT administrator could secure the physical office's network and its endpoints and sleep well. Those days are gone--the mobility boom and the related virtual workforce requires a different thought process.

Carlson himself spoke to me from his home office where he works one or two days each week. "The workforce is changing," Carlson said. "It's no longer enough to lock down your specific network because you've got machines coming on and off the network constantly. The challenge now for IT administrators at small businesses is to protect those machines regardless of where they are." Easier said than done--read on for the "how"--but Carlson said it's the underlying philosophy that SMBs need to adopt. Otherwise, no number of tools or policies will get the security job done.

Have a staff security policy and train people on it. Carlson said that a written security policy for employees and corresponding education program for new or current team members is a crucial yet straightforward step that most SMBs overlook. Big mistake: "No matter how good the security is, the human being that is sitting behind the machine can always override that security," Carlson said. "Nobody's immune: the hourly or part-time right on up to the president or CEO."

It's a low- or no-cost process that doesn't have to eat up much time. Carlson advocates working with HR or the business owner to put something in place. The program should include employees signing a document that they understand the policy and are on board. "It's free other than the IT administrator's time, and they'll probably make that up by fighting a few less viruses," Carlson said.

Use automated security tools that actually do what you need them to do. It sounds like a "duh" moment but it bears remembering: When you choose your security weapons, choose wisely. Make sure applications meet your particular business needs; it's likely the case that you'll want a mix of tools.

Carlson noted the increasing importance of content filtering, for example--something Panda doesn't provide--to contend with mutating malware and other Web-based threats. This is where IT pros need to know the nature of their business and act accordingly: Highly mobile or virtual firms might be better suited with a cloud-based approach. Likewise, that same approach might not meet the requirements of a compliance-stricken company. Regardless, Carlson advises time-poor SMBs to look for largely automated tools that don't require much upkeep.

Take a restriction-versus-risk approach. Carlson's a proponent of weighing restriction against risk. "Simply put, the more restrictive you are the less risk you have," he said. Carlson's quick to add that heavy IT regulation won't work for every company, but recommends managing policy on an individual or at least group basis.

If a staffer doesn't need Facebook to do their job? "You may become a hero by restricting access to certain social media sites and time-wasters," Carlson said. The downside is becoming too heavy-handed. "You may create an environment that is too restrictive that stands in the way of people working," Carlson said. Still, the prudent IT manager can make smart choices that strike the right balance.

"You're looking at taking a risk-based approach to security by enabling the better-trained, better-informed employees to have more freedom," Carlson said. "Maybe the lower-level employees that haven't gone through training or don't need those types of accesses--those folks can be subjected to more restrictive roles."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2808
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Bionic in Android before 4.1.1 incorrectly uses time and PID information during the generation of random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a rel...

CVE-2014-9713
Published: 2015-04-01
The default slapd configuration in the Debian openldap package 2.4.23-3 through 2.4.39-1.1 allows remote authenticated users to modify the user's permissions and other user attributes via unspecified vectors.

CVE-2015-0259
Published: 2015-04-01
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

CVE-2015-0800
Published: 2015-04-01
The PRNG implementation in the DNS resolver in Mozilla Firefox (aka Fennec) before 37.0 on Android does not properly generate random numbers for query ID values and UDP source ports, which makes it easier for remote attackers to spoof DNS responses by guessing these numbers, a related issue to CVE-2...

CVE-2015-0801
Published: 2015-04-01
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.