Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/17/2011
09:57 AM
50%
50%

4 Security Issues SMBs Should Watch In 2012

Webroot's CTO looks ahead and shares security predictions that will matter to small and midsize businesses.

10 Important Cloud Apps For SMBs
10 Important Cloud Apps For SMBs
(click image for larger view and for slideshow)
Thanksgiving's almost here, with the winter holidays close on its heels. That means a rash of overeating, last-minute shopping, and--of course--bold predictions for the coming year.

On the security front, Webroot CTO Mel Morris read his crystal ball and came up with seven predictions for 2012. It's a reasonable list, in blog form, and it's tough to take major issue with the calls. (Well, maybe his second prediction, which suggests that 2012 will be the year that security firms gain the upper hand on the bad guy--that one seems a tad self-serving.) But four of the predictions on Morris's list really apply to small and midsize businesses (SMBs).

1. Masses will migrate to cloud platforms. This prediction seems to lean a little hard on retrospect--except that Morris is talking about John and Jane Doe--not businesses. Morris tied his prediction to Apple's recent iCloud launch and said it will make online applications the public norm rather than a trend. Continued consumerization will, in turn, force IT pros to deal with cloud applications--and any inherent security concerns--whether they want to or not.

Morris isn't talking about things like Web-based email--already somewhat old-fashioned in 2011--but file sharing, storage, and a much broader range of tools. Many tech-savvy SMBs are well ahead of this curve, but there are no doubt firms that have stayed away for security or other reasons. A potential silver lining: If a broader range of cloud platforms goes mainstream, then (hopefully) there'll be more onus on vendors to invest in security--if for no other reason than the increasing cost of a breach and the ensuing PR fallout.

2. Your smartphone will be a target. If you're placing bets, this one is easy money. Morris gives a general pat on the back to the security industry here, saying that because it has done a good job of protecting traditional endpoints, the bad guys will gold-rush the mobile frontier. "We will see an increase in Android and iPhone attacks: rogue apps, malicious links, and spyware targeted at smartphones and tablets," he said. "It's all about data, and business users and consumers alike store an abundance of highly sensitive and poorly guarded information on their mobile devices." SMBs need a mobile arm to their security plans that deals with both the devices themselves and the apps that run on them. Speaking of which...

3. Legitimate applications will be used for illegitimate activities. The cynic might say: "Duh." Just this week, Facebook--how many of your employees aren't using it?--got hit with a widespread porn attack. Morris is more concerned about the vast, growing universe of mobile apps in use on employee smartphones and tablets--whether those are company-supported or not. "A simple glance at an application like Plane Finder illustrates the vast amount of data that is at anyone's fingertips," he said.

[For more on smartphone security, check out Dark Reading's Pocket Guide To Securing Mobile Devices.]

4. Our weakest link will be strengthened. Morris has faith in humanity: He thinks we'll get smarter about security practices in 2012: "Indifference toward security will diminish." That's an interesting one for SMBs--their innate agility and leaner staff should make it easier to educate users on both the fundamentals and evolving problems. Yet SMBs--just like much larger concerns--run into problems all of the time, often as the result of human error. But it's not like this will just magically happen once the ball drops at midnight on January 1. It requires a philosophical shift--one that need not depend on a big budget. Is Morris right--will we get smarter next year? Let's hope so.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...