We analyzed 699 responses to our InformationWeek Analytics 2011 Strategic Security Survey from IT and security pros at companies with fewer than 1,000 employees, and we found that they take information security every bit as seriously as large enterprises. They're wrestling with the same challenges, including managing the complexity of security, enforcing policies, preventing data breaches, and assessing risk, but they're doing it with less funding, expertise, and technology.
"Somewhere between 30 and 150 people, you reach the really scary spot," says Lee Sharp, network and systems manager for recycling company TerraCycle. "Midsize companies have all the complexity of big companies but can't afford the big tools and can't easily enforce policy."
Problem 1: Managing Security Complexity
Managing the complexity of security is far and away the greatest challenge midsize IT organizations face--50% of our 699 survey respondents identified it as problem No. 1, 16 percentage points ahead of the next biggest issue, enforcing security policies. A smaller number of people and nodes to protect is little comfort when criminals have diversified their attacks and you're faced with increasingly mobile employees accessing business networks from insecure wireless hotspots, often using unmanaged devices.
Oh, and most midsize companies must comply with at least one, and frequently multiple, regulations, including PCI DSS, HIPAA, state privacy laws, and the Sarbanes-Oxley Act for public companies. Audits are a major time suck.
The complexity problem is exacerbated by stringent requirements from partners--often much larger companies, with more resources--whose information they handle. Small companies are being forced to sign on to stronger policies, processes, and controls and adopt expensive, sophisticated security technologies as a condition of doing business with those larger partners.
Jonathan Penn, an analyst with Forrester Research, points to email marketing firm Epilson, which recently suffered a major breach. The company's data security practices will be under tighter scrutiny from its giant clients, including Best Buy, JPMorgan Chase, and Walgreens, whose customer data was stolen.
Midsize companies are in an especially tough spot; they're too big to keep tabs on what every user is doing but too small to absorb heavy requirements from partners.
Managed and hosted security services are arguably the only plausible way to cost-effectively counter security complexity. The trick is finding the right one. We discuss exactly how to choose a partner in our report on security services strategies for small and midsize firms, which includes a checklist tailored to low-, medium-, and high-risk environments. Integrated security suites provide desktop and server antivirus and anti-malware protection as well as email and Web security, all with unified management. Then, fill in gaps by adding such services as endpoint data loss prevention and encryption, which increasingly is a requirement for state data privacy laws.
Of course, the best security can be bypassed if you don't have a strong password policy.
Problem 2: Enforcing Policy
Outsourcing a security technology and management doesn't absolve you of responsibility for employee behavior, something 34% of respondents cite as a major challenge. Yes, formulating rules for safe computing and handling of and access to sensitive data takes time, executive buy-in, and some level of automation. The key is dropping the us vs. them mentality and working with employees as security partners. "We rely on end user training to make people aware of what's good behavior on their computers--how you handle passwords, access, what's responsible vs. risky behavior," says John McGuthry, CIO of Armstrong Atlantic State University in Savannah, Ga. "If you don't create good behavior and good habits, everything else breaks down."
A best practice is to require that anyone with access to sensitive information undergo annual security training. There's help available here, too. Pain management specialist Zynex Medical turned to a cloud-based learning management service for regulatory compliance training for all employees and independent sales reps. The service helps Zynex document training, which helps at audit time. "It's a big mitigating factor for regulatory exposure," says David Empey, Zynex's director of regulatory compliance. "The cloud service shows we trained and tested competency of folks in all areas where they have to be compliant."
Forrester's Penn calls users the first and last line of defense. Training them to identify suspicious activity, where to report it, and even what to do to preserve evidence from a forensic perspective can make the difference between containment and an infection that spreads throughout the network.
Complement education with strong change management policies and procedures to assure that network devices, critical servers, and firewalls are properly configured. Armstrong Atlantic's McGuthry has put in place procedures that must be followed every time there's a configuration change on a firewall or a significant modification of an application, for example. All affected parties--within and outside of IT--are informed before changes are made, to ensure that all security, network, and business needs are addressed. Every change includes a plan for testing and recovery to return the device or application to its original state if necessary. And every change is documented, and that information securely stored.
"No one can make a change outside this process," McGuthry says. "If someone does, that's a behavior that's quickly changed."
Problem 3: A False Sense Of Security
Only about a quarter of the midsize IT organizations responding to our survey think they'll be attacked this year. That's symptomatic of a pervasive belief that their companies are small potatoes and therefore of no interest to criminals.
This couldn't be further from the truth.
The latest Verizon Data Breach Investigations Report shows a dramatic shift from high-yield attacks on large enterprises, such as major financial institutions, in which hundreds of thousands or even millions of records were stolen, to smaller enterprises. Although many more breaches were investigated for Verizon's 2011 report, it found that the number of records stolen fell precipitously, from 141 million in 2010 to 4 million in 2011. In 2009, the figure was 361 million. "Attackers have figured out that smaller companies not only have valuable data with fewer protections, but that their networks can be weaker back doors to enterprise partners," says Michael Davis, CEO of security integrator Savid Technologies. "Maybe I can't hack into Wal-Mart, but if I can get deep into a supplier's systems, that can be almost as good."
Moreover, banking Trojans, notably Zeus, have been used to clean out SMB bank accounts. Security journalist Brian Krebs has reported numerous examples of tens of thousands, and in some cases hundreds of thousands, of dollars being lifted. The Epsilon breach and the earlier SilverPop attack focused on stealing names and email addresses, so that attackers can fashion targeted spear-phishing against individuals and businesses. Cybercriminals are also using Facebook and other social media sites to gather everything from credentials to sensitive corporate information to knowledge of systems and security measures in order to target businesses.
Those midsize companies we surveyed that were attacked report severe consequences, starting with networks and applications being unavailable and the loss of business, time, and money spent bringing them back online. One-third of companies that reported attacks were denial-of-service victims, and one-quarter say that intellectual property and/or confidential information was compromised--possibly putting partners at risk through supply chain and payment system connections. Small potatoes?
Penn says most midmarket companies don't need consultants to show where they're at risk and how to address weak points; they can turn to managed security service providers, VARs, and security vendors for guidance. On the other hand, Zynex found it cost-effective to bring in a consultant to perform a gap analysis of its information security program. Empey got an overview of all the company's HIPAA, SOX, and PCI DSS requirements and thus was able to implement a smart mitigation plan.
Problem 4: Outside Attacks
If most midsize companies think they're too small to be attractive to attackers, it's ironic that a high percentage of respondents to our survey, 65%, think cybercriminals pose the greatest threat to their data, followed closely by employees and other authorized users. In fact, insiders were responsible for only a small percentage (17%) of data breaches investigated in the Verizon report, while nine of 10 involved external agents (there's some overlap because breaches can come from a combination of internal and external sources).
Armstrong Atlantic's McGuthry thinks people, more than technology, are key to preventing most breaches. "The biggest concern I have is whether or not our people are following the right procedures," he says.
This point gets back to the value of user awareness in policy enforcement. While a determined, sophisticated attacker is difficult to stop, even for enterprises, good user behavior will prevent the losses from common phishing attacks and drive-by downloads from suspicious websites. All companies must invest time and money, either internally or through a service provider, to monitor what's going on across their networks. "Listen to the heartbeat of your environment," says McGuthry. "Use log analysis tools, and have someone focused on looking at those logs." Trend analysis is essential, as is baselining, to determine typical and acceptable behavior, so that anomalous activity will trigger alerts.
We asked our survey respondents from midsize companies to rate the effectiveness of 19 security technologies or practices. Data encryption was rated No. 1, with nearly half (47%) identifying it as "very effective" in protecting their data, followed closely by firewalls at 44%. And they're practicing what they preach: 45% of respondents encrypt data on servers and fixed storage devices, as well as in transit. In addition, 43% encrypt data on laptops and portable storage devices.
One reason Empey is moving from using faxes to transmit information from Zynex's sales force to Microsoft's Dynamic CRM cloud-based service is improved security and HIPAA compliance, because the data will be encrypted in transit.
Survey respondents placed endpoint protection high on their defense list as well, and Forrester's Penn says the growing focus on endpoints as an attack vector, particularly for Web-based attacks, means midsize companies have to demand more than "lite" versions of enterprise products. "They may need advanced features but delivered in a way that's easy to implement, with preconfigured settings that are a good baseline and templates," he says.
If your devices have only basic protection, do a cost-benefit comparison of available products and consider moving up to the next level.
An incident response plan is also essential. A company can contain an attack before it can do serious damage if it reacts rapidly and appropriately. Train users to recognize abnormal behavior and know how and where to report it. "The last thing you want is people scrambling about trying to figure out what's going on," says Penn. McGuthry agrees, and adds that a plan doesn't have to be elaborate. "You should always have a plan for knowing what to do when you don't know what to do," he says.
We discuss the right way to do incident response in our recent Dark Reading digital issue.
Problem 5: Limited Resources
Getting management buy-in and adequate funding is cited as a top security challenge by 24% of our survey respondents. "Outside the IT department, security may not be on the corporate road map," says TerraCycle's Sharp. "Too often, there's no budget for smoke detectors until the house is burning."
Most security pros chafe at tight budget, but there are ways to do more with less. First, build security in at the beginning. Security is far less likely to be adequately funded if it's tacked on after a project is approved. Bundle requirements and expenses into the proposal as part of the cost-benefit equation.
And don't assume that increasing spending is a nonstarter. In our full Strategic Security Survey, 38% of respondents say their companies' spending on information security will increase this year, and an additional 49% say budgets will remain level.
Cloud-based security services are relatively inexpensive, and many let users scale on demand, without worrying about daily management or upgrades. One caveat: 48% of our midmarket respondents worry about security defects in cloud technology itself, and many are concerned about unauthorized access to or leaking of either proprietary (39%) or customer (46%) information. But the reality is, the expertise security cloud providers offer vs. what most midsize companies can afford on their own may offset those concerns.
Be sure to vet cloud providers for SAS 70 Type 2 auditing, levels of encryption, and adherence to the regulatory controls you need to be concerned with. For more tips, see our latest cloud risk report.