Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/18/2011
02:15 PM
50%
50%

Midmarket Security: 5 Risks, 5 Practical Responses

Smaller companies deal with enterprise-grade threats and compliance challenges, and partners are imposing requirements for sophisticated controls and audits that may be overwhelming. Here's how to cope.

We analyzed 699 responses to our InformationWeek Analytics 2011 Strategic Security Survey from IT and security pros at companies with fewer than 1,000 employees, and we found that they take information security every bit as seriously as large enterprises. They're wrestling with the same challenges, including managing the complexity of security, enforcing policies, preventing data breaches, and assessing risk, but they're doing it with less funding, expertise, and technology.

"Somewhere between 30 and 150 people, you reach the really scary spot," says Lee Sharp, network and systems manager for recycling company TerraCycle. "Midsize companies have all the complexity of big companies but can't afford the big tools and can't easily enforce policy."

Problem 1: Managing Security Complexity

Managing the complexity of security is far and away the greatest challenge midsize IT organizations face--50% of our 699 survey respondents identified it as problem No. 1, 16 percentage points ahead of the next biggest issue, enforcing security policies. A smaller number of people and nodes to protect is little comfort when criminals have diversified their attacks and you're faced with increasingly mobile employees accessing business networks from insecure wireless hotspots, often using unmanaged devices.

Oh, and most midsize companies must comply with at least one, and frequently multiple, regulations, including PCI DSS, HIPAA, state privacy laws, and the Sarbanes-Oxley Act for public companies. Audits are a major time suck.

The complexity problem is exacerbated by stringent requirements from partners--often much larger companies, with more resources--whose information they handle. Small companies are being forced to sign on to stronger policies, processes, and controls and adopt expensive, sophisticated security technologies as a condition of doing business with those larger partners.

Jonathan Penn, an analyst with Forrester Research, points to email marketing firm Epilson, which recently suffered a major breach. The company's data security practices will be under tighter scrutiny from its giant clients, including Best Buy, JPMorgan Chase, and Walgreens, whose customer data was stolen.

Midsize companies are in an especially tough spot; they're too big to keep tabs on what every user is doing but too small to absorb heavy requirements from partners.

Managed and hosted security services are arguably the only plausible way to cost-effectively counter security complexity. The trick is finding the right one. We discuss exactly how to choose a partner in our report on security services strategies for small and midsize firms, which includes a checklist tailored to low-, medium-, and high-risk environments. Integrated security suites provide desktop and server antivirus and anti-malware protection as well as email and Web security, all with unified management. Then, fill in gaps by adding such services as endpoint data loss prevention and encryption, which increasingly is a requirement for state data privacy laws.

Of course, the best security can be bypassed if you don't have a strong password policy.

chart: What are the biggest information and network security challenges facing your company?

Problem 2: Enforcing Policy

Outsourcing a security technology and management doesn't absolve you of responsibility for employee behavior, something 34% of respondents cite as a major challenge. Yes, formulating rules for safe computing and handling of and access to sensitive data takes time, executive buy-in, and some level of automation. The key is dropping the us vs. them mentality and working with employees as security partners. "We rely on end user training to make people aware of what's good behavior on their computers--how you handle passwords, access, what's responsible vs. risky behavior," says John McGuthry, CIO of Armstrong Atlantic State University in Savannah, Ga. "If you don't create good behavior and good habits, everything else breaks down."

A best practice is to require that anyone with access to sensitive information undergo annual security training. There's help available here, too. Pain management specialist Zynex Medical turned to a cloud-based learning management service for regulatory compliance training for all employees and independent sales reps. The service helps Zynex document training, which helps at audit time. "It's a big mitigating factor for regulatory exposure," says David Empey, Zynex's director of regulatory compliance. "The cloud service shows we trained and tested competency of folks in all areas where they have to be compliant."

Forrester's Penn calls users the first and last line of defense. Training them to identify suspicious activity, where to report it, and even what to do to preserve evidence from a forensic perspective can make the difference between containment and an infection that spreads throughout the network.

Complement education with strong change management policies and procedures to assure that network devices, critical servers, and firewalls are properly configured. Armstrong Atlantic's McGuthry has put in place procedures that must be followed every time there's a configuration change on a firewall or a significant modification of an application, for example. All affected parties--within and outside of IT--are informed before changes are made, to ensure that all security, network, and business needs are addressed. Every change includes a plan for testing and recovery to return the device or application to its original state if necessary. And every change is documented, and that information securely stored.

"No one can make a change outside this process," McGuthry says. "If someone does, that's a behavior that's quickly changed."

chart: What sources of breaches  of espionage  pose the greatest threat to your company?

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22152
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
CVE-2021-22153
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...
CVE-2021-22154
PUBLISHED: 2021-05-13
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
CVE-2021-20331
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
CVE-2021-31215
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.