02:15 PM
Connect Directly

Midmarket Security: 5 Risks, 5 Practical Responses

Smaller companies deal with enterprise-grade threats and compliance challenges, and partners are imposing requirements for sophisticated controls and audits that may be overwhelming. Here's how to cope.

We analyzed 699 responses to our InformationWeek Analytics 2011 Strategic Security Survey from IT and security pros at companies with fewer than 1,000 employees, and we found that they take information security every bit as seriously as large enterprises. They're wrestling with the same challenges, including managing the complexity of security, enforcing policies, preventing data breaches, and assessing risk, but they're doing it with less funding, expertise, and technology.

"Somewhere between 30 and 150 people, you reach the really scary spot," says Lee Sharp, network and systems manager for recycling company TerraCycle. "Midsize companies have all the complexity of big companies but can't afford the big tools and can't easily enforce policy."

Problem 1: Managing Security Complexity

Managing the complexity of security is far and away the greatest challenge midsize IT organizations face--50% of our 699 survey respondents identified it as problem No. 1, 16 percentage points ahead of the next biggest issue, enforcing security policies. A smaller number of people and nodes to protect is little comfort when criminals have diversified their attacks and you're faced with increasingly mobile employees accessing business networks from insecure wireless hotspots, often using unmanaged devices.

Oh, and most midsize companies must comply with at least one, and frequently multiple, regulations, including PCI DSS, HIPAA, state privacy laws, and the Sarbanes-Oxley Act for public companies. Audits are a major time suck.

The complexity problem is exacerbated by stringent requirements from partners--often much larger companies, with more resources--whose information they handle. Small companies are being forced to sign on to stronger policies, processes, and controls and adopt expensive, sophisticated security technologies as a condition of doing business with those larger partners.

Jonathan Penn, an analyst with Forrester Research, points to email marketing firm Epilson, which recently suffered a major breach. The company's data security practices will be under tighter scrutiny from its giant clients, including Best Buy, JPMorgan Chase, and Walgreens, whose customer data was stolen.

Midsize companies are in an especially tough spot; they're too big to keep tabs on what every user is doing but too small to absorb heavy requirements from partners.

Managed and hosted security services are arguably the only plausible way to cost-effectively counter security complexity. The trick is finding the right one. We discuss exactly how to choose a partner in our report on security services strategies for small and midsize firms, which includes a checklist tailored to low-, medium-, and high-risk environments. Integrated security suites provide desktop and server antivirus and anti-malware protection as well as email and Web security, all with unified management. Then, fill in gaps by adding such services as endpoint data loss prevention and encryption, which increasingly is a requirement for state data privacy laws.

Of course, the best security can be bypassed if you don't have a strong password policy.

chart: What are the biggest information and network security challenges facing your company?

Problem 2: Enforcing Policy

Outsourcing a security technology and management doesn't absolve you of responsibility for employee behavior, something 34% of respondents cite as a major challenge. Yes, formulating rules for safe computing and handling of and access to sensitive data takes time, executive buy-in, and some level of automation. The key is dropping the us vs. them mentality and working with employees as security partners. "We rely on end user training to make people aware of what's good behavior on their computers--how you handle passwords, access, what's responsible vs. risky behavior," says John McGuthry, CIO of Armstrong Atlantic State University in Savannah, Ga. "If you don't create good behavior and good habits, everything else breaks down."

A best practice is to require that anyone with access to sensitive information undergo annual security training. There's help available here, too. Pain management specialist Zynex Medical turned to a cloud-based learning management service for regulatory compliance training for all employees and independent sales reps. The service helps Zynex document training, which helps at audit time. "It's a big mitigating factor for regulatory exposure," says David Empey, Zynex's director of regulatory compliance. "The cloud service shows we trained and tested competency of folks in all areas where they have to be compliant."

Forrester's Penn calls users the first and last line of defense. Training them to identify suspicious activity, where to report it, and even what to do to preserve evidence from a forensic perspective can make the difference between containment and an infection that spreads throughout the network.

Complement education with strong change management policies and procedures to assure that network devices, critical servers, and firewalls are properly configured. Armstrong Atlantic's McGuthry has put in place procedures that must be followed every time there's a configuration change on a firewall or a significant modification of an application, for example. All affected parties--within and outside of IT--are informed before changes are made, to ensure that all security, network, and business needs are addressed. Every change includes a plan for testing and recovery to return the device or application to its original state if necessary. And every change is documented, and that information securely stored.

"No one can make a change outside this process," McGuthry says. "If someone does, that's a behavior that's quickly changed."

chart: What sources of breaches  of espionage  pose the greatest threat to your company?

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.