Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/18/2011
06:37 PM
50%
50%

4 Basic Security Steps For SMBs

Time and budget limitations make poor excuses for a lack of security. Here are four key considerations for resource-constrained IT administrators at smaller companies.

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
Security tends to be an area that small and midsize businesses know they need to address but nonetheless leave unattended. There's always something more pressing on the priority list.

The bad guys love those companies.

Sure, there's no such thing as foolproof security. But time and budget limitations shouldn't keep smaller businesses from securing their information. Not taking at least basic steps toward real IT security can lead to a series of technology-borne plagues: your website starts moonlighting as a malware factory, your hosted phone system becomes someone else's call center for a weekend, your finance staffer unwittingly turns over banking credentials to a hacker. Any or all of the above can damage the company's reputation and its bottom line.

So what's the lean-and-mean SMB to do? Rick Carlson, president of Panda Security, notes that there's no one-size-fits-all approach. Panda focuses on smaller customers, and the vendor recently released the latest version of its Panda Cloud Office Protection service. It's in Carlson's job description to be a bit biased on the topic: "The client-server architecture is dead," he said in an interview. But he does offer up four fundamentals for SMB owners and IT pros to keep in mind, regardless of what tools or applications you favor.

Embrace the holistic view. Security is no longer an office-and-desktop paradigm. Once upon a time, an IT administrator could secure the physical office's network and its endpoints and sleep well. Those days are gone--the mobility boom and the related virtual workforce requires a different thought process.

Carlson himself spoke to me from his home office where he works one or two days each week. "The workforce is changing," Carlson said. "It's no longer enough to lock down your specific network because you've got machines coming on and off the network constantly. The challenge now for IT administrators at small businesses is to protect those machines regardless of where they are." Easier said than done--read on for the "how"--but Carlson said it's the underlying philosophy that SMBs need to adopt. Otherwise, no number of tools or policies will get the security job done.

Have a staff security policy and train people on it. Carlson said that a written security policy for employees and corresponding education program for new or current team members is a crucial yet straightforward step that most SMBs overlook. Big mistake: "No matter how good the security is, the human being that is sitting behind the machine can always override that security," Carlson said. "Nobody's immune: the hourly or part-time right on up to the president or CEO."

It's a low- or no-cost process that doesn't have to eat up much time. Carlson advocates working with HR or the business owner to put something in place. The program should include employees signing a document that they understand the policy and are on board. "It's free other than the IT administrator's time, and they'll probably make that up by fighting a few less viruses," Carlson said.

Use automated security tools that actually do what you need them to do. It sounds like a "duh" moment but it bears remembering: When you choose your security weapons, choose wisely. Make sure applications meet your particular business needs; it's likely the case that you'll want a mix of tools.

Carlson noted the increasing importance of content filtering, for example--something Panda doesn't provide--to contend with mutating malware and other Web-based threats. This is where IT pros need to know the nature of their business and act accordingly: Highly mobile or virtual firms might be better suited with a cloud-based approach. Likewise, that same approach might not meet the requirements of a compliance-stricken company. Regardless, Carlson advises time-poor SMBs to look for largely automated tools that don't require much upkeep.

Take a restriction-versus-risk approach. Carlson's a proponent of weighing restriction against risk. "Simply put, the more restrictive you are the less risk you have," he said. Carlson's quick to add that heavy IT regulation won't work for every company, but recommends managing policy on an individual or at least group basis.

If a staffer doesn't need Facebook to do their job? "You may become a hero by restricting access to certain social media sites and time-wasters," Carlson said. The downside is becoming too heavy-handed. "You may create an environment that is too restrictive that stands in the way of people working," Carlson said. Still, the prudent IT manager can make smart choices that strike the right balance.

"You're looking at taking a risk-based approach to security by enabling the better-trained, better-informed employees to have more freedom," Carlson said. "Maybe the lower-level employees that haven't gone through training or don't need those types of accesses--those folks can be subjected to more restrictive roles."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...