Top SMB Security Worries: Intellectual Property, MobileAn expert security researcher shares his top security concerns for SMBs in 2012 and offers advice on how smaller companies can manage risks.
10 Companies Driving Mobile Security (click image for larger view and for slideshow)
The more things change, the more they stay the same. That pretty much sums up the information security landscape for small and midsize businesses (SMBs) in the year ahead, according to the head of Blue Coat Security's research lab.
The security world is indeed ever-changing. Blue Coat, for example, shifted its protection approach in 2011 away from the point of attack to the underlying networks that enable and distribute malware and other threats. In the process, the company hopes to better identify threats before they unfold--Blue Coat likens it to the "pre-crime" conceit in Minority Report. Yet Chris Larsen, Blue Coat's head researcher, acknowledges many smaller companies don't have the resources to devote to sifting through traffic logs and similar methods. That doesn't mean SMBs are helpless. In an interview, Larsen detailed his priority concerns for SMBs to keep top of mind in 2012--and some of them should sound familiar by now.
For starters, Larsen issued a reminder: Be proactive. Even if you outsource security to a consultant or other vendor, remain engaged with what they're doing to keep you protected. Ask questions about processes, risks, and remediation. Set-it-and-forget-it deals have inherent shortcomings.
As in years past, basic security hygiene is still a must for any business, no matter how small. Every SMB has a bank account and other financial information, and banking-related fraud will remain the number one threat to smaller firms in 2012. Larsen said online criminals are usually thrilled to infiltrate an SMB network because the bank balance is almost always a multiple of the typical consumer account.
Protection is a matter of recognizing the threat and identifying which people, processes, and information inside your organization make likely targets. "If you know [bank fraud] is going on, than you can put defenses in place to watch for it," Larsen said.
The minimum safety practices that any SMB should deploy: Use strong passwords and anti-malware protection, stay current on patches and downloads, beware of fishy emails and links, and restrict account access to critical personnel. The extreme approach: Use a dedicated computer for banking--no email, no spreadsheets, nothing--and keep it offline when not in use. (Larsen said some Blue Coat employees redefine "extreme"--they boot their machines from a Linux CD any time they bank online. Larsen himself isn't so paranoid, but he still won't use a Windows PC to manage his finances online.)
There's a newer concern for some SMBs: Intellectual property (IP) theft. While it won't apply across the board, high-value data could make some companies juicy targets--even if they're not a household name or have no trophy cachet. Firms in areas such as biotech or those with government defense contracts make prime examples. While bank fraud usually involves indiscriminate, catch-all attacks, IP theft typically falls into the realm of targeted or "advanced persistent" threats. Identifying potential dangers involves taking more of a risk management approach.
"You have to do an analysis: Do we have something besides our bank account that would be of interest to somebody?" Larsen said. "If we do, we have to give some thought to how to protect it." Doing so involves indentifying where the valuable data lives, who has access to it, and knowing whether there's an audit trail to follow.
Any public company fits the bill here, no matter its size or industry, since sensitive corporate information could be used to profitably trade the firm's stock ahead of the market. Employee social media profiles and other data readily available online have made it easier than ever to orchestrate this type of planned attack, Larsen said.
"Traditionally, you might say that we're so small nobody will come after us. But if you have intellectual property that would make it worthwhile, then somebody will come after you--and if Google can get hacked, so can you," Larsen said. "The nice thing if you're a smaller organization: You have a lot more concentrated and fewer assets to keep an eye on than Google does."
Mobile, for all its business benefits, will continue to grow as the new Wild West for security. Larsen said that while large enterprises have been wringing their hands over mobile security for some time, it's now something much smaller companies need to worry about, too.
"It's very sexy and seductive to be able to have a little app for your iPhone that gets into your customer database so your sales guys can pull stuff up when they're out in the field," Larsen said. "What's to prevent a sales guy from walking out with your whole contact list? It's really easy to get seduced by how cool all the new toys are and not do the really hard work and think about all of the security implications."
Larsen said cloud security platforms will be the way to manage a vast array of devices. "You can't carry around your data center defenses with you," Larsen said. "You want to have that iPad or iPhone talking to a cloud portal that has those kinds of defenses in place." The good news: that cloud infrastructure continues to grow and make those kinds of protections available.
He also advised SMBs that embrace a bring-your-own-device approach do so in a security-conscious manner. In particular, consider a device-restrictive plan for protecting key assets. If your banking information is your most valuable data, for example, don't let employees access it with their personal mobile devices--even if they're encouraged to use them in other areas of the business.
That fits Larsen's general thesis for SMBs: If time, money, and staff all run in short supply, don't worry about protecting everything--worry about protecting what's actually valuable.
"It boils downs to for a smaller operation: Play the priorities. What am I going to prioritize protecting? And I'm going to make darn sure adequate protection on that, and everything else I'm just going to free-wheel because I can't deal with it," Larsen said. "That's a reasonable security compromise posture." InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our Enterprise Storage Survey now. Survey ends Jan. 13.