Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

For SMBs, Being Security-Savvy Doesn't Always Mean Doing It Yourself

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are ju

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro.

But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.Without a viable in-house option, many SMBs begin to seek out third-party security services that can help them do business securely. They begin to pay attention to late-night TV ads for Finallyfast.com or Internet ads that promise "spyware removal services" at impossibly low prices. And the next thing they know, small business IT administrators have made their environments even less secure than they were before.

And the situation is getting worse. As the economy shrinks, SMBs have even less time and resources to devote to security. But in difficult economic times, cybercriminals step up their efforts to hack and fool small businesses, and the number of fraudulent "security services" and solutions continues to increase. Despite advances in security technology, one could easily argue that SMBs have never been so vulnerable to attack than as they are right now.

What's needed is some guidance on how to choose third-party security services, especially when you have little or no security expertise in-house. SMB employees with IT responsibilities need to understand the vast differences between services from companies such as Microsoft or AT&T, and the technologies that are offered by startups and independent service providers that may -- or may not -- offer viable options. Next week, Dark Reading will publish a short guide about how to choose a service provider -- a report that will at least provide a few tips on the selection process.

But more help is needed. In the long run, SMBs need some means of vetting potential security service providers, either through standards organizations or a sanity-checking organization that plays a role similar to Consumer Reports. It isn't fair that the companies least able to evaluate security services -- those with the fewest security skills -- are the ones most likely to rely on third-party service providers for the very integrity of their data. It's simply too easy today for a small business to be sold down the river by a security service provider that promises the moon.

Until some method of certifying security services exists, however, I call on the most talented and savvy security professionals -- the readers of Dark Reading -- to play a more active role in helping small businesses to learn what they need to know about security. This assistance could take the form of guidance offered via online forums or Websites, where real expertise is hard to find. Or perhaps some of these savvy security pros ought to test out these third-party services -- the Finallyfast.coms of the world -- and find out whether they really do what they say they do. It seems to me that such an honest evaluation would be at least as valuable to the public as finding another fleeting flaw in Microsoft Office, if not more so.

What do you say, security researchers? How about checking for vulnerabilities in security services, as well as application code? For the folks who can't afford to do it themselves, a little help from the best in the class might be just what the doctor ordered.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28026
PUBLISHED: 2021-03-05
jpeg-xl v0.3.2 is affected by a heap buffer overflow in /lib/jxl/coeff_order.cc ReadPermutation. When decoding a malicous jxl file using djxl, an attacker can trigger arbitrary code execution or a denial of service.
CVE-2021-27907
PUBLISHED: 2021-03-05
Apache Superset up to and including 0.38.0 allowed the creation of a Markdown component on a Dashboard page for describing chart's related information. Abusing this functionality, a malicious user could inject javascript code executing unwanted action in the context of the user's browser. The javasc...
CVE-2021-20663
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Role authority setting screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and ea...
CVE-2021-20664
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Asset registration screen of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type 6.7.5 and earlier (Movable Type 6.7 Series), Movable Type Premium 1.39 and earlie...
CVE-2021-20665
PUBLISHED: 2021-03-05
Cross-site scripting vulnerability in in Add asset screen of Contents field of Movable Type 7 r.4705 and earlier (Movable Type 7 Series), Movable Type Advanced 7 r.4705 and earlier (Movable Type Advanced 7 Series), Movable Type Premium 1.39 and earlier, and Movable Type Premium Advanced 1.39 and ear...