Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

For SMBs, Being Security-Savvy Doesn't Always Mean Doing It Yourself

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are ju

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro.

But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.Without a viable in-house option, many SMBs begin to seek out third-party security services that can help them do business securely. They begin to pay attention to late-night TV ads for Finallyfast.com or Internet ads that promise "spyware removal services" at impossibly low prices. And the next thing they know, small business IT administrators have made their environments even less secure than they were before.

And the situation is getting worse. As the economy shrinks, SMBs have even less time and resources to devote to security. But in difficult economic times, cybercriminals step up their efforts to hack and fool small businesses, and the number of fraudulent "security services" and solutions continues to increase. Despite advances in security technology, one could easily argue that SMBs have never been so vulnerable to attack than as they are right now.

What's needed is some guidance on how to choose third-party security services, especially when you have little or no security expertise in-house. SMB employees with IT responsibilities need to understand the vast differences between services from companies such as Microsoft or AT&T, and the technologies that are offered by startups and independent service providers that may -- or may not -- offer viable options. Next week, Dark Reading will publish a short guide about how to choose a service provider -- a report that will at least provide a few tips on the selection process.

But more help is needed. In the long run, SMBs need some means of vetting potential security service providers, either through standards organizations or a sanity-checking organization that plays a role similar to Consumer Reports. It isn't fair that the companies least able to evaluate security services -- those with the fewest security skills -- are the ones most likely to rely on third-party service providers for the very integrity of their data. It's simply too easy today for a small business to be sold down the river by a security service provider that promises the moon.

Until some method of certifying security services exists, however, I call on the most talented and savvy security professionals -- the readers of Dark Reading -- to play a more active role in helping small businesses to learn what they need to know about security. This assistance could take the form of guidance offered via online forums or Websites, where real expertise is hard to find. Or perhaps some of these savvy security pros ought to test out these third-party services -- the Finallyfast.coms of the world -- and find out whether they really do what they say they do. It seems to me that such an honest evaluation would be at least as valuable to the public as finding another fleeting flaw in Microsoft Office, if not more so.

What do you say, security researchers? How about checking for vulnerabilities in security services, as well as application code? For the folks who can't afford to do it themselves, a little help from the best in the class might be just what the doctor ordered.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.