Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

For SMBs, Being Security-Savvy Doesn't Always Mean Doing It Yourself

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro. But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are ju

When it comes to security, most security professionals -- indeed, most Dark Reading readers -- are do-it-yourselfers. They do their own research, find their own bugs, and remediate their own systems. It's almost a rite of passage -- if you have to ask for help, you can't be a real security pro.

But I wonder, sometimes, if this attitude doesn't hurt small and midsize businesses, in which having even one full-time security professional is more than many can afford. Such businesses are just as concerned about security as their larger counterparts, but when their people attempt to ask questions or get the tools they need to build strong defenses, they are treated as "neophytes" or given tools they simply do not have the time or skills to learn to use properly. And because they don't have tools that work at their skill levels or have the support of the elite security community, they are sometimes left with no easy way to access the best defenses and tools available.Without a viable in-house option, many SMBs begin to seek out third-party security services that can help them do business securely. They begin to pay attention to late-night TV ads for Finallyfast.com or Internet ads that promise "spyware removal services" at impossibly low prices. And the next thing they know, small business IT administrators have made their environments even less secure than they were before.

And the situation is getting worse. As the economy shrinks, SMBs have even less time and resources to devote to security. But in difficult economic times, cybercriminals step up their efforts to hack and fool small businesses, and the number of fraudulent "security services" and solutions continues to increase. Despite advances in security technology, one could easily argue that SMBs have never been so vulnerable to attack than as they are right now.

What's needed is some guidance on how to choose third-party security services, especially when you have little or no security expertise in-house. SMB employees with IT responsibilities need to understand the vast differences between services from companies such as Microsoft or AT&T, and the technologies that are offered by startups and independent service providers that may -- or may not -- offer viable options. Next week, Dark Reading will publish a short guide about how to choose a service provider -- a report that will at least provide a few tips on the selection process.

But more help is needed. In the long run, SMBs need some means of vetting potential security service providers, either through standards organizations or a sanity-checking organization that plays a role similar to Consumer Reports. It isn't fair that the companies least able to evaluate security services -- those with the fewest security skills -- are the ones most likely to rely on third-party service providers for the very integrity of their data. It's simply too easy today for a small business to be sold down the river by a security service provider that promises the moon.

Until some method of certifying security services exists, however, I call on the most talented and savvy security professionals -- the readers of Dark Reading -- to play a more active role in helping small businesses to learn what they need to know about security. This assistance could take the form of guidance offered via online forums or Websites, where real expertise is hard to find. Or perhaps some of these savvy security pros ought to test out these third-party services -- the Finallyfast.coms of the world -- and find out whether they really do what they say they do. It seems to me that such an honest evaluation would be at least as valuable to the public as finding another fleeting flaw in Microsoft Office, if not more so.

What do you say, security researchers? How about checking for vulnerabilities in security services, as well as application code? For the folks who can't afford to do it themselves, a little help from the best in the class might be just what the doctor ordered.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3595
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or in...
CVE-2021-3592
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 byt...
CVE-2021-3593
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or in...
CVE-2021-3594
PUBLISHED: 2021-06-15
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or ind...
CVE-2021-33622
PUBLISHED: 2021-06-15
Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, has an Incorrect Check of a Function's Return Value.