Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2011
06:37 PM
50%
50%

4 Basic Security Steps For SMBs

Time and budget limitations make poor excuses for a lack of security. Here are four key considerations for resource-constrained IT administrators at smaller companies.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Security tends to be an area that small and midsize businesses know they need to address but nonetheless leave unattended. There's always something more pressing on the priority list.

The bad guys love those companies.

Sure, there's no such thing as foolproof security. But time and budget limitations shouldn't keep smaller businesses from securing their information. Not taking at least basic steps toward real IT security can lead to a series of technology-borne plagues: your website starts moonlighting as a malware factory, your hosted phone system becomes someone else's call center for a weekend, your finance staffer unwittingly turns over banking credentials to a hacker. Any or all of the above can damage the company's reputation and its bottom line.

So what's the lean-and-mean SMB to do? Rick Carlson, president of Panda Security, notes that there's no one-size-fits-all approach. Panda focuses on smaller customers, and the vendor recently released the latest version of its Panda Cloud Office Protection service. It's in Carlson's job description to be a bit biased on the topic: "The client-server architecture is dead," he said in an interview. But he does offer up four fundamentals for SMB owners and IT pros to keep in mind, regardless of what tools or applications you favor.

Embrace the holistic view. Security is no longer an office-and-desktop paradigm. Once upon a time, an IT administrator could secure the physical office's network and its endpoints and sleep well. Those days are gone--the mobility boom and the related virtual workforce requires a different thought process.

Carlson himself spoke to me from his home office where he works one or two days each week. "The workforce is changing," Carlson said. "It's no longer enough to lock down your specific network because you've got machines coming on and off the network constantly. The challenge now for IT administrators at small businesses is to protect those machines regardless of where they are." Easier said than done--read on for the "how"--but Carlson said it's the underlying philosophy that SMBs need to adopt. Otherwise, no number of tools or policies will get the security job done.

Have a staff security policy and train people on it. Carlson said that a written security policy for employees and corresponding education program for new or current team members is a crucial yet straightforward step that most SMBs overlook. Big mistake: "No matter how good the security is, the human being that is sitting behind the machine can always override that security," Carlson said. "Nobody's immune: the hourly or part-time right on up to the president or CEO."

It's a low- or no-cost process that doesn't have to eat up much time. Carlson advocates working with HR or the business owner to put something in place. The program should include employees signing a document that they understand the policy and are on board. "It's free other than the IT administrator's time, and they'll probably make that up by fighting a few less viruses," Carlson said.

Use automated security tools that actually do what you need them to do. It sounds like a "duh" moment but it bears remembering: When you choose your security weapons, choose wisely. Make sure applications meet your particular business needs; it's likely the case that you'll want a mix of tools.

Carlson noted the increasing importance of content filtering, for example--something Panda doesn't provide--to contend with mutating malware and other Web-based threats. This is where IT pros need to know the nature of their business and act accordingly: Highly mobile or virtual firms might be better suited with a cloud-based approach. Likewise, that same approach might not meet the requirements of a compliance-stricken company. Regardless, Carlson advises time-poor SMBs to look for largely automated tools that don't require much upkeep.

Take a restriction-versus-risk approach. Carlson's a proponent of weighing restriction against risk. "Simply put, the more restrictive you are the less risk you have," he said. Carlson's quick to add that heavy IT regulation won't work for every company, but recommends managing policy on an individual or at least group basis.

If a staffer doesn't need Facebook to do their job? "You may become a hero by restricting access to certain social media sites and time-wasters," Carlson said. The downside is becoming too heavy-handed. "You may create an environment that is too restrictive that stands in the way of people working," Carlson said. Still, the prudent IT manager can make smart choices that strike the right balance.

"You're looking at taking a risk-based approach to security by enabling the better-trained, better-informed employees to have more freedom," Carlson said. "Maybe the lower-level employees that haven't gone through training or don't need those types of accesses--those folks can be subjected to more restrictive roles."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32693
PUBLISHED: 2021-06-17
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the fir...
CVE-2021-32424
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, due to a lack of proper session controls, a threat actor could make unauthorized changes to an affected router via a specially crafted web page. If an authenticated user were to interact with a malicious web page it could allow for a complete takeover of the router.
CVE-2021-32426
PUBLISHED: 2021-06-17
In TrendNet TW100-S4W1CA 2.3.32, it is possible to inject arbitrary JavaScript into the router's web interface via the "echo" command.
CVE-2021-32694
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.15.1, a malicious application on the same device is possible to crash the Nextcloud Android Client due to an uncaught exception. The vulnerability is patched in version 3.15.1.
CVE-2021-32695
PUBLISHED: 2021-06-17
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose t...