Spyware, worms and remote networks have made IT
security a much more complicated problem for small businesses,
explains Helen Beckett
Security is still prominent on the radar for the smaller
business and many people who run small firms are realising that the
growing complexity of keeping data safe needs expert attention. It
is no longer a question of just keeping virus patches up to date
and installing a firewall. The security-conscious now have to deal
with remote networks and address new threats such as spyware.
Consequently, many small and medium-sized businesses, both those
with dedicated IT resources and those without are looking outside
the organisation for help.
Security was cited as the top IT initiative for 2006 by the IT
managers and business proprietors who attended the Gartner Group's
2005 Midsize Enterprise Summit.
Spending on security by these US mid-market companies ranged
from 5% to 10% of the overall IT budget. And according to Jim
Browning, vice-president and research director at Gartner, the UK
experience pretty much mimics the North American trend.
"Most small and medium businesses do a really good job of
anti-virus on the desktop and put budget aside for firewalls," he
said. "But they don't have the budget for a total security solution
like their enterprise counterparts, and struggle to prioritise
everything in between."
In particular, they struggle with spyware and intrusion
prevention, said Browning. "We see about 10%-15% using managed
security services, and frankly more SMBs should use them to keep
the bad guys out."
Before 2001, the primary effect of viruses and malware was
downtime for the infected device and the inconvenience of an
overcrowded inbox. But worms, a more recent manifestation of
malware, spread so quickly that they act as denial-of-service
attacks against the entire network, inflicting more damage overall
than viruses ever did.
Also, the outbreak of spyware in the past year or so has caused
a host of fresh problems for SMBs that few have addressed
properly.
While even the smallest business is pretty clued up about the
dangers of viruses, many remain naive about spyware, said Paul
Bodgers, technical operations manager of PC World Business. "We see
more people about spyware than anti-virus now," he said, adding
that they usually come for a cure because they have been already
been affected, rather than for preventive purposes.
Planting software on a device after a user has clicked on a
pop-up or visited a suspect site are the most usual routes of
infection. And a user may remain oblivious for some time.
A lot of spyware simply redirects users to a website, but a more
nefarious type copies keystrokes and can thus spy on user activity
and steal passwords and data. Telltale signs include a homepage
redirecting to a phoney site or a machine that runs slowly or
crashes.
"Often the code is poorly written by a guy in the back bedroom,"
said Bodgers. "This sort of software may hog the processor and make
a machine crash." Another problem is that the IT-illiterate often
assume viruses and spyware are the same thing and so take no action
to counteract the latter.
In this respect, they have been done no favours by the
anti-virus suppliers, who have been slow to respond to the spyware
threat, said Browning. "Suppliers are only just starting to
integrate anti-spyware with their anti-virus service, and so
businesses have had to go to another point provider [or not at
all]. SMBs are pretty upset with these suppliers."
Gartner believes the increasing success of intrusion detection
and prevention will be a catalyst for third-party providers to
offer a managed security service that covers everything. Intrusion
prevention entails monitoring network traffic for deviant packets
and interpreting data, and so calls for specialist knowledge and
equipment. "They can't do it themselves," said Browning.
Cisco's senior security adviser for UK and Ireland, Paul King,
agrees. "If you see a bad packet and decide to drop it, you have to
be 100% sure."
But he said that intrusion prevention on individual devices can
be achieved more easily by having an intelligent agent sit on a PC
and monitor its behaviour in particular contexts. For example, you
would expect anti-virus software to scan every file on the disk,
but you would not expect this from another application.
"At Cisco we promote the idea of the self-defending network and
device, because no one can predict where an attack will come from,"
said King. The beauty of the PC intrusion protection software is
that it can even be configured to prevent data being stolen on a
USB port. "The user will get a pop-up screen asking whether they
want to do the copy, and a tick will be registered for audit
purposes."
This growing sophistication of security technology may be a good
thing in the long run, because while security remains in the realm
of do-it-yourself, SMBs may just be making themselves more
vulnerable.
In any field, a little knowledge is deemed to be a dangerous
thing, but this is particularly true of security, where the risks
are greater. "Even with something basic like anti-virus software,
enthusiasts may install it, click next, and think 'that's it',"
said Bodgers.
The problem recurs throughout the security domain, as more
complex devices call for a specialist knowledge that goes beyond
the range of a competent IT manager.
Mark Gerhard, chief executive of IT security consultancy the
Ministry of Data, said small businesses should keep things as
simple as possible.
A "Rolls-Royce" firewall for the larger enterprise with a wide
range of features may not be the best choice for the SMB, unless it
has a lot of technical knowledge, he warned, instead recommending
lower-end firewalls that come with a wizard designed to guide
novices and intermediates through the installation process.
IT managers also frequently fall foul of the wireless technology
that has been enthusiastically embraced by SMBs because of the low
cost of entry. Unfortunately, said Gerhard, the inherent security
issues are frequently overlooked by companies both large and
small.
In Gerhard's experience, companies often spend time and money
configuring their firewalls correctly and then install unsecured
wireless networks or devices that put a hole in network
security.
"It's the equivalent of spending a fortune on the perimeter
fence and then digging a tunnel under it," he said.
The two main pitfalls of wireless are confusion about encryption
strengths of different cipher standards, and lack of passwords,
said Gerhard.
"Normally encryption scales to 'the power of', but with the
Wired Equivalent Privacy (Wep) standard for wireless security,
strength increases linearly." IT managers can easily be confused on
this score and believe their encryption is much stronger than it
actually is.
Second, said Gerhard, passwords are either negligible or
non-existent on wireless networks, which are not segmented to
reduce risk. IT needs to think about wireless networks in the same
way it does about physical local area networks.
A customer-facing server, for example, would normally put in a
"demilitarised" or buffer zone, so that in the event that it is
compromised, back-office systems would remain protected.
The problem is exacerbated by the project-led approach to
security. "A typical situation is to put wireless in by Monday
because the chairman said so," said Gerhard. And the
project-orientated nature of security remains a serious flaw.
According to Browning, "In one organisation it's a server thing, or
if e-mail has to be secured, then the e-mail guy does it."
It is quite natural that the rapid evolution of security threats
means attention is focused on dealing with these technology
"cures". However, as the Department of Trade and Industry
emphasises, breaches of security are more likely to occur from
within than without. According to the DTI's Information Security
Breaches Survey 2004, nearly 25% of all companies surveyed reported
that their staff had misused systems - twice as many as in
2002.
And most of these breaches are likely to be perpetrated through
social engineering because it is easy to phone a helpdesk and ask
for a "lost" or new password. "Small companies are immediately more
susceptible because there is less likely to be a process than in
larger companies, where the sheer number of people makes it harder
to keep tabs on individuals," said Gerhard.
For this reason, it is crucial to have a security policy in
place determining access to systems and behaviour around computer
devices and networks. A sound policy sets boundaries, is a
deterrent to calculated abuse and discourages sloppy practice that
could inadvertently open up the network to malware.
Whether a company chooses to provision its security in-house on
a DIY basis or outsource to a service provider, formulating a
policy on safe ways to use computers and networks is a must.
"Smaller companies have temporary contractors and casual labour
too," warned Nick Coleman, head of security services for IBM.
"People shouldn't regard it as a small issue just because it's on a
smaller scale."
For those that don't have a larger partner or customer to nudge
them, "If you don't write things down and choose not to do anything
- that is policy in itself," said Coleman.
Case study: City West gets down to the
details
Social housing provider City West Homes decided to call in
outside specialists when it created a comprehensive security
policy.
"It kept getting pushed to the back of the pile and it seemed
that the only way to get it off the ground was to bring in
consultants," said Nick Tutt, head of IT at City West Homes.
IT had a number of technical rules as well as guidelines for
users in place.
However, undertaking security training for the IT staff, and in
particular preparing for Information Systems Examination Board
qualifications, run by the British Computer Society, raised
awareness about the need to get a sound policy document in
place.
"Just for the purposes of corporate governance, board members
and auditors wanted to be assured that there was information
security policy," said Tutt.
"We're at the point where we have detailed user policies drafted
and we're just going through a consultation with contractors and
third parties." HR has also recently become involved, although
according to Tutt, it would have ideally been consulted at the
outset.
Having a handbook that can be circulated among staff and which
complements the contract of employment is a big bonus in battening
down internal security, said Tutt.
"In any cases where we need to take disciplinary action, it
makes it possible for HR to dismiss someone for breach of policy,"
he added.
Look out for the SMB Handbook
You don't have to be the biggest of companies to get the best
from IT. On 14 March Computer Weekly will publish a 36-page
handbook showing how SMBs can use IT to transform the company.
The SMB Handbook will look at the latest IT products and
services; how to get the best from your IT budgets; how to
calculate total cost of ownership and return on investment; and how
to get the best deal from external suppliers.
Find out how SMBs can level the playing field when competing
with the larger companies as well as their peers. It's all in The
SMB Handbook: the essential guide to IT for SMBs.
The SMBHandbook will be distributed free to selected readers
with the 14 March edition of Computer Weekly.
It also be available for free download from 14 March to all
visitors to:
www.computerweekly.com
See also
SMB focus: Safety in numbers