Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/18/2011
02:15 PM
50%
50%

Midmarket Security: 5 Risks, 5 Practical Responses

Smaller companies deal with enterprise-grade threats and compliance challenges, and partners are imposing requirements for sophisticated controls and audits that may be overwhelming. Here's how to cope.

Problem 3: A False Sense Of Security

Only about a quarter of the midsize IT organizations responding to our survey think they'll be attacked this year. That's symptomatic of a pervasive belief that their companies are small potatoes and therefore of no interest to criminals.

This couldn't be further from the truth.

The latest Verizon Data Breach Investigations Report shows a dramatic shift from high-yield attacks on large enterprises, such as major financial institutions, in which hundreds of thousands or even millions of records were stolen, to smaller enterprises. Although many more breaches were investigated for Verizon's 2011 report, it found that the number of records stolen fell precipitously, from 141 million in 2010 to 4 million in 2011. In 2009, the figure was 361 million. "Attackers have figured out that smaller companies not only have valuable data with fewer protections, but that their networks can be weaker back doors to enterprise partners," says Michael Davis, CEO of security integrator Savid Technologies. "Maybe I can't hack into Wal-Mart, but if I can get deep into a supplier's systems, that can be almost as good."

Moreover, banking Trojans, notably Zeus, have been used to clean out SMB bank accounts. Security journalist Brian Krebs has reported numerous examples of tens of thousands, and in some cases hundreds of thousands, of dollars being lifted. The Epsilon breach and the earlier SilverPop attack focused on stealing names and email addresses, so that attackers can fashion targeted spear-phishing against individuals and businesses. Cybercriminals are also using Facebook and other social media sites to gather everything from credentials to sensitive corporate information to knowledge of systems and security measures in order to target businesses.

Those midsize companies we surveyed that were attacked report severe consequences, starting with networks and applications being unavailable and the loss of business, time, and money spent bringing them back online. One-third of companies that reported attacks were denial-of-service victims, and one-quarter say that intellectual property and/or confidential information was compromised--possibly putting partners at risk through supply chain and payment system connections. Small potatoes?

Penn says most midmarket companies don't need consultants to show where they're at risk and how to address weak points; they can turn to managed security service providers, VARs, and security vendors for guidance. On the other hand, Zynex found it cost-effective to bring in a consultant to perform a gap analysis of its information security program. Empey got an overview of all the company's HIPAA, SOX, and PCI DSS requirements and thus was able to implement a smart mitigation plan.

chart: Which of these security technologies or practices are very effective in protecting your company from internal or external security threats?

Problem 4: Outside Attacks

If most midsize companies think they're too small to be attractive to attackers, it's ironic that a high percentage of respondents to our survey, 65%, think cybercriminals pose the greatest threat to their data, followed closely by employees and other authorized users. In fact, insiders were responsible for only a small percentage (17%) of data breaches investigated in the Verizon report, while nine of 10 involved external agents (there's some overlap because breaches can come from a combination of internal and external sources).

Armstrong Atlantic's McGuthry thinks people, more than technology, are key to preventing most breaches. "The biggest concern I have is whether or not our people are following the right procedures," he says.

This point gets back to the value of user awareness in policy enforcement. While a determined, sophisticated attacker is difficult to stop, even for enterprises, good user behavior will prevent the losses from common phishing attacks and drive-by downloads from suspicious websites. All companies must invest time and money, either internally or through a service provider, to monitor what's going on across their networks. "Listen to the heartbeat of your environment," says McGuthry. "Use log analysis tools, and have someone focused on looking at those logs." Trend analysis is essential, as is baselining, to determine typical and acceptable behavior, so that anomalous activity will trigger alerts.

We asked our survey respondents from midsize companies to rate the effectiveness of 19 security technologies or practices. Data encryption was rated No. 1, with nearly half (47%) identifying it as "very effective" in protecting their data, followed closely by firewalls at 44%. And they're practicing what they preach: 45% of respondents encrypt data on servers and fixed storage devices, as well as in transit. In addition, 43% encrypt data on laptops and portable storage devices.

One reason Empey is moving from using faxes to transmit information from Zynex's sales force to Microsoft's Dynamic CRM cloud-based service is improved security and HIPAA compliance, because the data will be encrypted in transit.

Survey respondents placed endpoint protection high on their defense list as well, and Forrester's Penn says the growing focus on endpoints as an attack vector, particularly for Web-based attacks, means midsize companies have to demand more than "lite" versions of enterprise products. "They may need advanced features but delivered in a way that's easy to implement, with preconfigured settings that are a good baseline and templates," he says.

If your devices have only basic protection, do a cost-benefit comparison of available products and consider moving up to the next level.

An incident response plan is also essential. A company can contain an attack before it can do serious damage if it reacts rapidly and appropriately. Train users to recognize abnormal behavior and know how and where to report it. "The last thing you want is people scrambling about trying to figure out what's going on," says Penn. McGuthry agrees, and adds that a plan doesn't have to be elaborate. "You should always have a plan for knowing what to do when you don't know what to do," he says.

We discuss the right way to do incident response in our recent Dark Reading digital issue.

chart: How did attacks affect your company?

Problem 5: Limited Resources

Getting management buy-in and adequate funding is cited as a top security challenge by 24% of our survey respondents. "Outside the IT department, security may not be on the corporate road map," says TerraCycle's Sharp. "Too often, there's no budget for smoke detectors until the house is burning."

Most security pros chafe at tight budget, but there are ways to do more with less. First, build security in at the beginning. Security is far less likely to be adequately funded if it's tacked on after a project is approved. Bundle requirements and expenses into the proposal as part of the cost-benefit equation.

And don't assume that increasing spending is a nonstarter. In our full Strategic Security Survey, 38% of respondents say their companies' spending on information security will increase this year, and an additional 49% say budgets will remain level.

Cloud-based security services are relatively inexpensive, and many let users scale on demand, without worrying about daily management or upgrades. One caveat: 48% of our midmarket respondents worry about security defects in cloud technology itself, and many are concerned about unauthorized access to or leaking of either proprietary (39%) or customer (46%) information. But the reality is, the expertise security cloud providers offer vs. what most midsize companies can afford on their own may offset those concerns.

Be sure to vet cloud providers for SAS 70 Type 2 auditing, levels of encryption, and adherence to the regulatory controls you need to be concerned with. For more tips, see our latest cloud risk report.

chart: What are your top concerns about cloud services?

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31828
PUBLISHED: 2021-05-06
An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0 allows an existing privileged user to enumerate listening services or interact with configured resources via HTTP requests exceeding the Alerting plugin's intended scope.
CVE-2020-18888
PUBLISHED: 2021-05-06
Arbitrary File Deletion vulnerability in puppyCMS v5.1 allows remote malicious attackers to delete the file/folder via /admin/functions.php.
CVE-2020-18890
PUBLISHED: 2021-05-06
Rmote Code Execution (RCE) vulnerability in puppyCMS v5.1 due to insecure permissions, which could let a remote malicious user getshell via /admin/functions.php.
CVE-2021-31793
PUBLISHED: 2021-05-06
An issue exists on NightOwl WDB-20-V2 WDB-20-V2_20190314 devices that allows an unauthenticated user to gain access to snapshots and video streams from the doorbell. The binary app offers a web server on port 80 that allows an unauthenticated user to take a snapshot from the doorbell camera via the ...
CVE-2021-31916
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory write flaw was found in list_devices in drivers/md/dm-ioctl.c in the Multi-device driver module in the Linux kernel before 5.12. A bound check failure allows an attacker with special user (CAP_SYS_ADMIN) privilege to gain access to out-of-bounds memory leading to a syst...