Profile Facebook Twitter My Space Friendster Friendfeed You Tube
Kompas Tempo Detiknews
Google Yahoo MSN
Blue Sky Simple News Simple News R.1 Simple News R.2 Simple News R.3 Simple News R.4

Friday, February 11, 2011

Big Security For Small Business - Cybercriminals Attack Businesses Of All Sizes

it article, small business
When headlines announcing a big company’s massive data breach spill across media outlets, you can almost hear the collective sigh of relief from smaller companies who aren’t currently suffering the same fate. Yet while security problems at big companies inevitably garner big coverage, don’t think for a minute that smaller companies aren’t also targeted by cybercriminals.

Although many small businesses are acutely aware of IT threats, it can be tough to keep security in perspective as a business grows. Whereas a full security implementation might have sufficed for a company years ago, continual growth can slowly put a strain on security products meant to handle smaller data loads and traffic. Processing, networking, and other IT areas can also fall prey to the increased requirements of a growing business, but security remains the area that should never fall by the wayside.

Small Business, Big Target
Despite recent reports indicating a brighter business outlook in the next few years, a Trend Micro report indicates that SMBs are 23% less likely than large businesses to have preventive data leak policies within their companies, even while most say they believe an IT security threat could have a significant impact on their business.

“The general perception is that the smaller the organization, the less likely they’ll be targeted for attack. Unfortunately, the vast majority of attacks are highly automated and virtually blind, so essentially, size doesn’t matter,” says Michelle Dickman, CEO of TriGeo Network Security ( “In fact, there’s growing evidence that attackers now view small to medium enterprises as ‘easy targets’ given the general lack of sophisticated defenses and dedicated IT and network security resources,” adds Dickman.

A different recent study sponsored by Visa and the NCSA (National Cyber Security Alliance) reveals that small business owners certainly don’t feel they’re easy targets. That survey found that more than 85% of small business owners say they are lesser cybercrime targets than large companies, while 75% admitted their employees received less than three hours of network and mobile device security training in the past year (45% said their employees had no training at all).

“There is a belief that maintaining good security controls may be too costly or cumbersome for smaller organizations,” says Matt Stamper, vice president of professional and security services for Castle Access ( “This is a risky belief. Good security practices—vulnerability management, access controls, and proper system configuration—are not out of the reach of smaller companies. It’s more a matter of awareness and the potential liability these organizations face for not exercising due care over sensitive data. The bottom line: Any organization that fails to take appropriate measures to ensure the protection of sensitive data is gambling with the organization’s future.”

Stamper also points to the perception that smaller organizations don’t face the same regulatory scrutiny as large corporations. But just like security threats, regulations also impact small businesses, which are also expected to exercise due care (including specific prescriptive practices) over uniquely identifiable information,  he says, adding that states such as Massachusetts and California now have laws that require strict protection of this data.

Building A Defense
When a business grows, the existing hardware infrastructure might fail to keep pace as the data flowing through it also grows in size and scope. Keeping on top of technology is essential for small businesses to ensure that their environment remains secure over the long haul, and this means investigating equipment that can provide better security than what the businesses are currently using.

For example, an intrusion detection system (sometimes referred to simply as an IDS) can prove highly useful for small businesses, says Matt Jonkman, founder of Emerging Threats ( He notes that many of these systems require minimal expertise to manage and that some open-source projects provide free, easyto- install, preconfigured security suites. Although it might be necessary for a small business without a dedicated security staff to hire an outside IT company for IDS system deployment, Jonkman says it’s money well spent.

That lack of a dedicated security staff also can be problematic when it comes to handling threats originating from various sources, such as internal desktop computers, internal and external laptops, and even mobile devices. But Dickman says that unified threat management devices can help ease the headaches caused by security management by melding several common network defense technologies in a single appliance. According to Dickman, these products are fairly inexpensive, easy to manage, and reasonably effective at perimeter defense.

Although new hardware and software might help to improve a small company’s security environment, it remains vital to give ample attention to the products already in place—especially software. “Staying current
with the products you own is generally more valuable than re- placing them,” Dickman says. “The best time to switch security software products is when it’s clear the vendor is no longer investing time and resources in the product that you own. All products have a lifespan, so keep an eye on what the vendor and competing vendors are doing, and that will be your best indicator that it’s time to move.”

Jonkman adds that something is likely wrong when you stop receiving information or feedback from a security device, because there are often infections or incidents that cause this. Watching logs or other feedback on a daily basis can be tough in an understaffed small business, but if you realize there haven’t been any security problems in the last month, chances are good you’re simply not being alerted to them. This is the point when you should check and tune your defenses, he advises.

Policy Is King
While newer security products can help businesses get a better handle on their overall defense, they won’t necessarily improve security. Stamper explains that many companies have excellent security devices, such as firewalls, intrusion detection applications, complex event correlation tools, and others, but not all of them have placed the technologies into a proper context. As a result, they can undermine their big investments in the hardware and software

A strikingly large number of small businesses don’t have a clear IT security policy in place. This lack of policy can spell doom for businesses looking to protect privacy and assets or stay current with strict regulations. Hugh Thompson, founder and chief security strategist at People Security ( and program committee chair for the RSA Conference, explains that it’s critical to provide at least some level of security awareness.

“Especially in a small business, security comes down to employees making good, security-aware choices in their daily activities. Security managers are often the conduit through which new threat information flows into the business. They need to keep up with trends in the industry by joining local security groups, visiting security news sites, and attending industry events,” Thompson says.

Experts also tend to point to access control as a major security starting point for small businesses, as many breaches occur because employees—or even non-employees—gained access to data that they shouldn’t access. Dickman says that the fundamental security policy known as “least privilege” is imperative, because it provides network users with only the access to data they need to do their job. However, the process can be difficult, and smaller organizations can be tempted to simply give everyone access to everything. That makes it easy for everyone, including attackers and unscrupulous employees, to roam free on the network and take what they please, she says.

Small businesses can also improve their security by focusing on consistency throughout their environment. Jonkman recommends ensuring that all workstations and laptops have highly similar configurations and run some form of commercial antivirus software. He also suggests implementing a policy of regular tune-ups on all workstations. Small businesses might cringe at the thought of adding significant time and effort to already loaded schedules, but the good news is that help is always around the corner.

“If you don’t have an internal resource, it’s very much worth your investment to have a trusted IT person coming in every couple of months to inspect, tune, and clean systems,” Jonkman says. “A professional is going to be much more attuned to what might be going wrong and detect infections quickly and easily. You should also have a plan for handling an infection or incident. Know an IT company you can call, or have the tools around [cleaning tools, antivirus software, data backups, etc.] to handle it.”

Stamper adds that companies should also target other low-hanging security fruit, such as setting standards for password age and complexity, as well as establishing good segregation of duties for higher-risk accounts and systems. Above all, he says, be sure that the security policy has executive buy-in, because management at all levels should understand that security doesn’t exist solely as an IT function. ▲

Related Post:

Widget by [ Iptek-4u ]


Post a Comment

Copyright © 2010 - All right reserved