SMB Security: Fight The Right Fight

Too many small and midsize businesses are gearing up for the wrong fight when it comes to information security.

Used to be, SMBs could borrow the strategies of large-scale enterprise users--once new techniques and products were tested by big companies, SMBs could slowly adopt the ones that provided value as the price dropped and the best practices were established. SMBs struggled because they lacked resources, expertise, and time compared with bigger companies. But big and small companies faced more or less the same problems.

No more.

Preventing fraud, more likely from tech-enabled social engineering than sophisticated hacking, must be front-and-center for SMBs. That's a different mission than for larger businesses' security teams, which since they have more layers of technology and control must focus much more on elements such as protecting intellectual property. It's all about what the attackers are targeting. The biggest threats today come from advanced persistent threats, referring to professional attackers who aren't looking for attention-grabbing site defacements or data destruction. No, they're aiming at a business for a specific purpose, such as stealing trade secrets. With small businesses, the latest scams and malware most likely are determined to take cash from your organization, yet SMB IT professionals don't really see it that way.

Firms with fewer than 1,000 employees typically don't have a dedicated security team, unless they're highly regulated. Security functions get delegated to a jack-of-all-trades who has to "deal with" security. Too often, it's ignored by executive managers, who don't expect any real pain from weak security. This leads to an overemphasis on check-box security, like making sure operating systems are patched, and not enough on assessing risks and training end users against them.

Just having firewalls won't solve threats such as fraud and identity theft. VPN and data encryption don't necessarily either. Yet these are the top three techniques deemed most effective by our survey. SMB thinking needs to change. Learning how attackers are customizing their attacks for your type of organization and how to communicate those security issues to an ignorant and often uninterested management are the new must-have bullet point skills on your resume.

The Fraud Risk

Fraud and identity theft aren't even in the top five most-cited concerns by SMB IT professionals. "Minor financial losses" is No. 3, but we find the worry here is generally more about cost and time to remediate. Yet crooks are ripping off small businesses for real cash. On May 27, the FBI announced the indictment of an Ohio man and two men outside the country in an online scam that netted them more than $100 million through selling fake antivirus software. These are increasingly sophisticated operations--they employed a call center to field calls, even providing refunds if they thought victims would notify their card companies.

In another example, reported first on the security blog KrebsOnSecurity, an employee of an Ohio company, who unwittingly put fake antivirus software on a PC, logged onto the company's banking Web site, using a password and key fob, and was told the site was down for maintenance. Suspicious, the employee called the bank, which found $200,000 had been wired out of the account. These criminals don't fool around.

The fake antivirus scam is a great example of the type of threats, combining social engineering and malware, that target the SMB. This isn't the kind we see hit larger businesses--enterprise users assume someone's keeping their antivirus software up to date. And even if they want to download something, they probably don't have administrator rights or the authority to buy it. The SMB is targeted in much the same way as consumers, though with potentially much more money at stake.

What are SMB administrators worried about, if not fraud and identity theft? It's the availability of applications and the network. That isn't surprising--losing Web access or a key app such as e-mail or CRM will get top execs' attention. But SMBs' IT teams need to consider outages in the broader context of security risks, which may help get business leadership involved. Which brings us to the age old problem--budget.

Risk Assessments, Not Just Security Spending

Small businesses are supposed to be the first to hire and spend out of a recession, right? The SMB IT teams we talk to haven't seen that, and if anything, still are being asked to do more with less money, fewer people, and less time. In our survey, 34% are spending 1% to 5% of their IT budgets on security. That's a tiny slice when we're talking about IT budgets in the low hundreds of thousands of dollars.

Lack of security budget is a major reason for SMBs failing to pick the right security strategy for their risks. The budget, in terms of dollars, is so small that IT teams don't even attempt to properly assess their risks; they pick what they perceive as the one or two biggest problems, and they're happy to even be able to purchase any security-related product to address them.

Only 25% of organizations rank vulnerability assessments as an effective security practice. Almost half say firewalls are very effective, yet they're best at reducing a risk that's become less of a problem--protecting the end point in Internet connections. That's because most SMBs use NAT (network address translation), which many would argue provides control as strong as firewalls for many of their DMZ servers and end users.

Assessing risk is well down the list of most-cited IT security challenges, at No. 4, for SMB IT pros. Managing the complexity of security is No. 1--and it's been atop InformationWeek's annual survey for the past four years. However, if more SMBs took time to properly assess their risks, they would find managing complexity of security easier and more obtainable. Assessing risk properly gives IT teams a plan of attack that determines what and why they're purchasing specific security systems and taking various actions. Adding data loss prevention software, for example, may increase complexity without sufficient security return if you're unsure the priority of the risk it's addressing. You're less likely to respond like a deer in the headlights if you know you're crossing a busy road.

With the right risk assessment, SMB IT pros will stop doing some things on which they spend a lot of time. One likely candidate: scrambling to fix every operating system vulnerability. OS vulnerabilities have been on a sharp decline for years, yet SMBs still seem fixated on patch management. OS vulnerabilities, viruses, and worms are of utmost concern, our research finds. But security means more than vulnerabilities--it includes backup, it includes compliance. SMB IT directors must secure all areas of the confidentiality, integrity, and availability model.

Using the CIA model puts the focus on data--who has access and why, and how various data is classified. Most SMB security programs focus instead on specific issues (password management, antivirus, e-mail) and on policies for specific items. Remember the big peer-to-peer panic of a couple years ago? The worry was that P2P file sharing would destroy SMBs because there was no way to protect against it without spending a fortune; every SMB we talked with at the time would ask about it. The focus must be on data and what's important to protect in your company, not the latest hot-button issue. A small manufacturer might not need to worry about encryption for PCs, but even a small healthcare provider should encrypt patient information on laptops.

The P2P scare relates to a problem that has a particularly vicious effect on SMBs. Employees feel more secure at work than on home PCs, and that leads to risky behavior on your dime. Solving risky behavior ranks among the biggest IT security challenges for 27% of SMBs (see chart, p. 6). SMBs face a few problems with security awareness that are different than large organizations. One, SMBs need to fine-tune their security training to their greatest risks, not duplicate what is used in larger organizations. It may sound simplistic, but they need to train and remind staff about safe surfing, for example. Second, SMBs are less likely to have that one security expert that people turn to as the authoritative voice for the security information employees need to hear. It's one reason SMB executives look to outsourcing, including cloud-based security services.

Is Cloud The SMB Answer?

The appeal of online security services in the cloud is the low cost and the fact that companies can get by without specialized IT security skills. Yet managed security service providers (MSSP) are still a tough sell to executives, who tend to see them as too expensive. MSSP use is down this year, finds the research company Ovum, with only 7% of enterprise CIOs looking to outsource IT security in the next two years. SMBs aren't likely to fully outsource a security system; more likely, they'll get more of their security baked into products they get from the cloud, such as software as a service e-mail. If SaaS vendors do security right--and not all do--the cloud looks like a huge win for SMBs because you won't have to secure what you don't have.

One promising area is meeting compliance requirements. When it comes to compliance and regulations, more than 60% of SMB respondents say state laws are the major concerns. Outsourcing could ease some of that concern. It also will make sense in terms of broad compliance requirements of HIPAA, Sarbanes-Oxley, and PCI, where many of the same security systems are required, with some light customization for specific data types. They all require logging, proper authorization, authentication, and risk assessments, and hundreds of other firms have already gone through these same requirements many times.

Unlike large enterprises, which have many custom-built and internally developed applications within their IT infrastructure that they could never outsource, SMBs can adapt themselves to the processes of cheaper outsourced services. That's why they flock to cloud vendors such as Salesforce.com and NetSuite. Cloud vendors will realize the dramatic cost savings they can provide to SMBs by integrating security and compliance. Once they do, it will change every future SMB security decision.

SMBs have a hard time when it comes to in-house IT security, and that will continue to be the case. Having to sell execs who won't listen or don't care about security problems is hard enough; add on the fact that employees are being targeted with attacks, and already small security budgets are spent without sufficient focus, and an attacker has a cesspool of opportunity to cash in on. Cloud and other outsourcing opportunities don't solve these threats yet, so SMBs, for now, are stuck having to fight the good fight.

Start by picking the right weapons: For SMBs, that means the proper risk assessments. It means focusing on security awareness to avoid social engineering attacks. It means considering what data's most precious to a small business. All that will help assure the small amount of time and budget you do have for security is focused on the highest return with the most executive buy-in. Don't pretend you're as strong and rich as your larger enterprise brethren. You're not. You're smaller--and lighter and quicker and more adaptable. But that only helps if you know what you're dodging and adapting to avoid it.

Michael A. Davis is CEO of Savid Technologies, a Chicago-based security consultancy. Write to us at [email protected].