02:15 PM

Midmarket Security: 5 Risks, 5 Practical Responses

Smaller companies deal with enterprise-grade threats and compliance challenges, and partners are imposing requirements for sophisticated controls and audits that may be overwhelming. Here's how to cope.

We analyzed 699 responses to our InformationWeek Analytics 2011 Strategic Security Survey from IT and security pros at companies with fewer than 1,000 employees, and we found that they take information security every bit as seriously as large enterprises. They're wrestling with the same challenges, including managing the complexity of security, enforcing policies, preventing data breaches, and assessing risk, but they're doing it with less funding, expertise, and technology.

"Somewhere between 30 and 150 people, you reach the really scary spot," says Lee Sharp, network and systems manager for recycling company TerraCycle. "Midsize companies have all the complexity of big companies but can't afford the big tools and can't easily enforce policy."

Problem 1: Managing Security Complexity

Managing the complexity of security is far and away the greatest challenge midsize IT organizations face--50% of our 699 survey respondents identified it as problem No. 1, 16 percentage points ahead of the next biggest issue, enforcing security policies. A smaller number of people and nodes to protect is little comfort when criminals have diversified their attacks and you're faced with increasingly mobile employees accessing business networks from insecure wireless hotspots, often using unmanaged devices.

Oh, and most midsize companies must comply with at least one, and frequently multiple, regulations, including PCI DSS, HIPAA, state privacy laws, and the Sarbanes-Oxley Act for public companies. Audits are a major time suck.

The complexity problem is exacerbated by stringent requirements from partners--often much larger companies, with more resources--whose information they handle. Small companies are being forced to sign on to stronger policies, processes, and controls and adopt expensive, sophisticated security technologies as a condition of doing business with those larger partners.

Jonathan Penn, an analyst with Forrester Research, points to email marketing firm Epilson, which recently suffered a major breach. The company's data security practices will be under tighter scrutiny from its giant clients, including Best Buy, JPMorgan Chase, and Walgreens, whose customer data was stolen.

Midsize companies are in an especially tough spot; they're too big to keep tabs on what every user is doing but too small to absorb heavy requirements from partners.

Managed and hosted security services are arguably the only plausible way to cost-effectively counter security complexity. The trick is finding the right one. We discuss exactly how to choose a partner in our report on security services strategies for small and midsize firms, which includes a checklist tailored to low-, medium-, and high-risk environments. Integrated security suites provide desktop and server antivirus and anti-malware protection as well as email and Web security, all with unified management. Then, fill in gaps by adding such services as endpoint data loss prevention and encryption, which increasingly is a requirement for state data privacy laws.

Of course, the best security can be bypassed if you don't have a strong password policy.

chart: What are the biggest information and network security challenges facing your company?

Problem 2: Enforcing Policy

Outsourcing a security technology and management doesn't absolve you of responsibility for employee behavior, something 34% of respondents cite as a major challenge. Yes, formulating rules for safe computing and handling of and access to sensitive data takes time, executive buy-in, and some level of automation. The key is dropping the us vs. them mentality and working with employees as security partners. "We rely on end user training to make people aware of what's good behavior on their computers--how you handle passwords, access, what's responsible vs. risky behavior," says John McGuthry, CIO of Armstrong Atlantic State University in Savannah, Ga. "If you don't create good behavior and good habits, everything else breaks down."

A best practice is to require that anyone with access to sensitive information undergo annual security training. There's help available here, too. Pain management specialist Zynex Medical turned to a cloud-based learning management service for regulatory compliance training for all employees and independent sales reps. The service helps Zynex document training, which helps at audit time. "It's a big mitigating factor for regulatory exposure," says David Empey, Zynex's director of regulatory compliance. "The cloud service shows we trained and tested competency of folks in all areas where they have to be compliant."

Forrester's Penn calls users the first and last line of defense. Training them to identify suspicious activity, where to report it, and even what to do to preserve evidence from a forensic perspective can make the difference between containment and an infection that spreads throughout the network.

Complement education with strong change management policies and procedures to assure that network devices, critical servers, and firewalls are properly configured. Armstrong Atlantic's McGuthry has put in place procedures that must be followed every time there's a configuration change on a firewall or a significant modification of an application, for example. All affected parties--within and outside of IT--are informed before changes are made, to ensure that all security, network, and business needs are addressed. Every change includes a plan for testing and recovery to return the device or application to its original state if necessary. And every change is documented, and that information securely stored.

"No one can make a change outside this process," McGuthry says. "If someone does, that's a behavior that's quickly changed."

chart: What sources of breaches  of espionage  pose the greatest threat to your company?

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.