Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

For SMBs, Being Security-Savvy Doesn't Always Mean Doing It Yourself

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are ju

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro.

But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.Without a viable in-house option, many SMBs begin to seek out third-party security services that can help them do business securely. They begin to pay attention to late-night TV ads for Finallyfast.com or Internet ads that promise "spyware removal services" at impossibly low prices. And the next thing they know, small business IT administrators have made their environments even less secure than they were before.

And the situation is getting worse. As the economy shrinks, SMBs have even less time and resources to devote to security. But in difficult economic times, cybercriminals step up their efforts to hack and fool small businesses, and the number of fraudulent "security services" and solutions continues to increase. Despite advances in security technology, one could easily argue that SMBs have never been so vulnerable to attack than as they are right now.

What's needed is some guidance on how to choose third-party security services, especially when you have little or no security expertise in-house. SMB employees with IT responsibilities need to understand the vast differences between services from companies such as Microsoft or AT&T, and the technologies that are offered by startups and independent service providers that may -- or may not -- offer viable options. Next week, Dark Reading will publish a short guide about how to choose a service provider -- a report that will at least provide a few tips on the selection process.

But more help is needed. In the long run, SMBs need some means of vetting potential security service providers, either through standards organizations or a sanity-checking organization that plays a role similar to Consumer Reports. It isn't fair that the companies least able to evaluate security services -- those with the fewest security skills -- are the ones most likely to rely on third-party service providers for the very integrity of their data. It's simply too easy today for a small business to be sold down the river by a security service provider that promises the moon.

Until some method of certifying security services exists, however, I call on the most talented and savvy security professionals -- the readers of Dark Reading -- to play a more active role in helping small businesses to learn what they need to know about security. This assistance could take the form of guidance offered via online forums or Websites, where real expertise is hard to find. Or perhaps some of these savvy security pros ought to test out these third-party services -- the Finallyfast.coms of the world -- and find out whether they really do what they say they do. It seems to me that such an honest evaluation would be at least as valuable to the public as finding another fleeting flaw in Microsoft Office, if not more so.

What do you say, security researchers? How about checking for vulnerabilities in security services, as well as application code? For the folks who can't afford to do it themselves, a little help from the best in the class might be just what the doctor ordered.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
CVE-2020-11583
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
CVE-2020-11584
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.