Security On A Shoestring SMB Budget

The e-mail appeared to be an invitation from an old, junior high school friend. Yet when the hospital employee clicked on the link, it instead led her to a malicious site that installed a Trojan horse on her computer. In a little over a week, international cybercriminals used that beachhead to steal more than $600,000 from the woman's employer, according to a terse description of the incident on the Information Systems Security Association’s Web site.

A number of similar incidents to this one highlight the threats of online crime facing small and midsize businesses (SMBs), says Stan Stahl, president of Citadel Information Group and president of the Los Angeles chapter of the ISSA.

"Typically, they say, 'We have firewalls in place and have AV on all the desktops, so I guess we are secure,'" Stahl says. "But today cybercrime is so sophisticated that is not enough anymore."

Between a lack of security expertise and tight budgets due to the economic downturn, SMBs are hard-pressed to adequately secure their systems, networks, and data. Most SMBs don't have a dedicated IT person, never mind a dedicated security person. That's a problem because such businesses might once have been overlooked, but these days cybercriminals are finding them easy prey for schemes that aim to empty their bank accounts.

Yet recent surveys have found that SMBs are increasingly aware of online risks. Security spending will increase in the next year across the globe, with India and China increasing their spending to a greater degree. But even in the U.S. and U.K., security budgets will increase by 20 percent, according to a CompTIA survey.

"Smaller businesses have ignored security in the past, but -- because of some major breaches -- they are more cognizant of what it is today," says Steven Ostrowski, spokesman for CompTIA, a trade association for IT professionals.

For those businesses, security experts say several simple -- and inexpensive -- steps can dramatically improve a company's chances against attackers.

The most important step is that someone, preferably an executive, needs to be responsible for information security, Citadel's Stahl says.

"One of the questions that we ask when we do an assessment is, 'Who is in charge of IT security?' and it's very telling to see how employees give us different answers, which, of course, means that no one is in charge," he says. "So one of the things that we do with the client is find where the buck has to stop."

That's important because executives needs to support IT managers who make decisions. Security does not work if a vice president can circumvent policy just because he or she wants a simpler password, Stahl says.

Companies should also create a policy that guides users and IT managers in their actions. For SMBs, the largest threat is uninformed employees, according to CompTIA's annual study. Most infections these days are through social engineering. Scams such as e-mail messages claiming to be fake UPS or FedEx receipts, complaints from the IRS, or announcements from the FBI can fool unwary workers.

Training and education are key defenses against such tactics, and a well-written and easy-to-understand policy can help, Ostrowski says.

"Even the smallest business can put a security policy in place," he adds. "It does not have to be complex, and you are not expecting every employee to get an CISSP."

In a survey conducted last year, 60 percent of respondents told CompTIA they had implemented a comprehensive security policy. Such policies can help protect SMBs' most important assets: their accounting packages, where all of their financial information resides, as well as their customer lists. In most cases, e-mail and e-mail functionality are critical to their business as well.

"A lot of important business information resides in a business person's e-mail," says Jim Lippie, vice president of Staples Network Services.

In terms of creating a security team, SMBs face the same three options that larger enterprises have: They can do it themselves, outsource security to external consultants or solution providers, or subscribe to a managed service.

For most SMBs, creating your own IT security staff is too expensive. In its SMB services practice, office supply chain Staples rarely runs into even a full-time security person, Staples' Lippie says. About 80 percent of the group's SMB clients use the Staples' group for all of their IT needs. Only 20 percent have an IT person and use the service to augment their own program, he says.

"The point-of-contact usually does not have a technical background," Lippie says.

Companies that eschew a full-time IT administration should make sure their systems are set to automatically update software to close potential vulnerabilities. While some larger companies wait to apply patches to evaluate the impact of the software updates on all of their systems, most smaller businesses have no reason to delay.

"When the manufacturers send out the security patches and fixes, install them right away -- don't ignore them," Ostrowski says.

Staples' Lippie agrees that patching is part of the basic security steps a small business can take to secure themselves. When its consultants install desktops and laptops, it automates the patch process so that clients have a solid foundation of security.

Finally, companies should bring in security expertise, whether though a full-time employees, a consultant, or even as an assessment prior to subscribing to a managed service. For many smaller firms, a cloud service can provide the necessary day-to-day monitoring. Eyeing that market, the larger security firms -- such as McAfee and Symantec -- are creating integrated cloud security services.

"The SMB just wants security to be simple," says Marc Olesen, senior vice president of McAfee's content and cloud security group. "They want the protection, but they don't have the expertise or capacity."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.