Risk
7/18/2011
06:37 PM
Connect Directly
RSS
E-Mail
50%
50%

4 Basic Security Steps For SMBs

Time and budget limitations make poor excuses for a lack of security. Here are four key considerations for resource-constrained IT administrators at smaller companies.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Security tends to be an area that small and midsize businesses know they need to address but nonetheless leave unattended. There's always something more pressing on the priority list.

The bad guys love those companies.

Sure, there's no such thing as foolproof security. But time and budget limitations shouldn't keep smaller businesses from securing their information. Not taking at least basic steps toward real IT security can lead to a series of technology-borne plagues: your website starts moonlighting as a malware factory, your hosted phone system becomes someone else's call center for a weekend, your finance staffer unwittingly turns over banking credentials to a hacker. Any or all of the above can damage the company's reputation and its bottom line.

So what's the lean-and-mean SMB to do? Rick Carlson, president of Panda Security, notes that there's no one-size-fits-all approach. Panda focuses on smaller customers, and the vendor recently released the latest version of its Panda Cloud Office Protection service. It's in Carlson's job description to be a bit biased on the topic: "The client-server architecture is dead," he said in an interview. But he does offer up four fundamentals for SMB owners and IT pros to keep in mind, regardless of what tools or applications you favor.

Embrace the holistic view. Security is no longer an office-and-desktop paradigm. Once upon a time, an IT administrator could secure the physical office's network and its endpoints and sleep well. Those days are gone--the mobility boom and the related virtual workforce requires a different thought process.

Carlson himself spoke to me from his home office where he works one or two days each week. "The workforce is changing," Carlson said. "It's no longer enough to lock down your specific network because you've got machines coming on and off the network constantly. The challenge now for IT administrators at small businesses is to protect those machines regardless of where they are." Easier said than done--read on for the "how"--but Carlson said it's the underlying philosophy that SMBs need to adopt. Otherwise, no number of tools or policies will get the security job done.

Have a staff security policy and train people on it. Carlson said that a written security policy for employees and corresponding education program for new or current team members is a crucial yet straightforward step that most SMBs overlook. Big mistake: "No matter how good the security is, the human being that is sitting behind the machine can always override that security," Carlson said. "Nobody's immune: the hourly or part-time right on up to the president or CEO."

It's a low- or no-cost process that doesn't have to eat up much time. Carlson advocates working with HR or the business owner to put something in place. The program should include employees signing a document that they understand the policy and are on board. "It's free other than the IT administrator's time, and they'll probably make that up by fighting a few less viruses," Carlson said.

Use automated security tools that actually do what you need them to do. It sounds like a "duh" moment but it bears remembering: When you choose your security weapons, choose wisely. Make sure applications meet your particular business needs; it's likely the case that you'll want a mix of tools.

Carlson noted the increasing importance of content filtering, for example--something Panda doesn't provide--to contend with mutating malware and other Web-based threats. This is where IT pros need to know the nature of their business and act accordingly: Highly mobile or virtual firms might be better suited with a cloud-based approach. Likewise, that same approach might not meet the requirements of a compliance-stricken company. Regardless, Carlson advises time-poor SMBs to look for largely automated tools that don't require much upkeep.

Take a restriction-versus-risk approach. Carlson's a proponent of weighing restriction against risk. "Simply put, the more restrictive you are the less risk you have," he said. Carlson's quick to add that heavy IT regulation won't work for every company, but recommends managing policy on an individual or at least group basis.

If a staffer doesn't need Facebook to do their job? "You may become a hero by restricting access to certain social media sites and time-wasters," Carlson said. The downside is becoming too heavy-handed. "You may create an environment that is too restrictive that stands in the way of people working," Carlson said. Still, the prudent IT manager can make smart choices that strike the right balance.

"You're looking at taking a risk-based approach to security by enabling the better-trained, better-informed employees to have more freedom," Carlson said. "Maybe the lower-level employees that haven't gone through training or don't need those types of accesses--those folks can be subjected to more restrictive roles."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.