Data security for SMBs
Hardly a day goes by without businesses facing some sort of
security threat. It’s a big enough issue for larger companies,
given their greater knowledge and resources. But it’s far worse for
small- to medium-sized businesses (SMBs), who in many cases are not
aware of the risks, usually because they’re just so busy with
day-to-day operations.
Recent research from Computer Weekly displayed some alarming
trends regarding the security worthiness of SMBs in the UK: only
18% reported never being hacked or attacked.
The ramifications for any company whose defences are breached
electronically are bad. It’s not only the potential delay in
business, but also loss of reputation that can take a company
under. Put simply, a successful attack could stop your company from
operating.
With the help of Jonathan Steel, chief executive of the Bathwick
Group, a specialist security and IT consultancy; and Nick Coleman,
head of security services at IBM; the recent ComputerWeekly.com
webinar – Data security for SMBs – outlined what technological
solutions and services are available to address threats and
vulnerabilities, and what is needed to adopt a security awareness
culture within SMBs.
The analyst’s view
In his presentation, Steel outlined the problems for SMBs,
giving a sense of the threats they face, and what they can do about
it.
While 82% of companies have been attacked in the UK, it’s even
worse in the US, where two years ago, the FBI found 90% of
companies had faced a threat. And, he warned, the threat is
growing, affecting all companies. It’s not just script kiddies
looking to make a name for themselves, but organised crime that is
heavily involved in security,
Dealing with security, he suggested, is like buying insurance.
You get it, hoping you won’t need to use it. But it’s still an
expense, which makes it a tough sell for business managers
internally.
The threat facing SMBs is actually growing because as larger
companies become more security savvy, attackers are now targeting
their threats further down the food chain, at those organisations
that may be less well protected – SMBs.
Most people tend to think of security risks as coming from the
outside. But more than half the threats reported are generated
internally, where someone’s already on the inside of the barriers
and fences put up by companies. In an example from India last year,
someone at a bank simply loaded 20,000 cardholder details onto a
CD, and then sold the CD.
Another internal worry is the issue of hardware loss - many
laptops are left in taxis, or are stolen to order. Too many
companies also fail to have a back-up routine for their data and if
they do have a routine, they fail to test that restore
regularly.
Distributed denial of service (DDoS) attacks are the threat that
most organisations are aware of, and these are up 50% year on year.
The other main threat comes from malware, which comprises viruses,
Trojans, worms, keyloggers and spyware. These pieces of software
are all designed to enable an outsider to spy on or gain access to
company systems.
Steel went on to discuss pharming and phishing. In pharming, a
hacker accesses directory services at an internet service provider
or a company, so that when you try to go to a particular website,
you’re actually sent to a different, spoofed one, which is going to
collect your details.
Phishing is where you may receive an email from someone
promising you money, if only you’d give them your bank details and
a deposit! A variation, called spear-phishing, is where you may
receive an email from an individual or department within your
company who you’d probably trust, such as Human Resources. One in
300 emails sent worldwide in 2005 was a phishing email.
Another ongoing threat, botnets, involves taking over control of
your PC to launch a range of attacks, possibly through spyware or
phishing. An alternative lower-tech version, calling up, involves
someone you trust apparently calling you on the phone, and you
handing over all your details.
When it comes to protection, there are four main areas you need
to guard – servers, networks, individual machines, and users
themselves. You also need to protect against individual users who
themselves may be targeting systems.
There are four main ways to thwart trouble, and they are the
four Ps: protection of software, physical protection, policies and
patches.
Protection of software involves the by-now familiar use of
anti-virus software and firewalls. Proxy servers can also provide a
demilitarised zone where a server outside your firewall handles all
control in and out of the company.
Physical protection involves how you can protect against people
breaking into the office and stealing computers or servers. All the
software in the world won’t be any use if the server gets stolen.
Biometrics can provide an additional security layer, where a laptop
will only be usable with the right thumbprint or fingerprint.
Policies are particularly important, and this is often where
security falls down. Many companies either fail to have any
policies for data security or fail to keep those policies up to
date. For example, it’s important to have policies about how you
handle back-ups, employee usage and access, while you also need
policies for passwords.
If you let people choose their own passwords, then the average
competent hacker will be able to guess them, or run an automatic
program that will crack them, in seconds. It makes much more sense
to use a combination of numbers and letters. Two-thirds of users
will never change their passwords unless forced to while,
incredibly, some departments will even put a password for the
day/week/month on a whiteboard.
The fourth P – patches – are increasingly important, because
there is no point having the right software if you don’t have the
appropriate security patches in place to keep that software up to
date, so that any holes or vulnerabilities have been filled.
Security is a continuously moving target, and even if it may be
a challenge, you have to be able to sell it internally, and keep
policies up to date.
The technologist’s view
Coleman believes SMBs need to take action to defend themselves
against increasingly sophisticated threats. Last year the number of
virus attacks went down, but they were more targeted.
While threats have become more sophisticated, our dependence on
IT has grown, and everyone’s expectations have grown too. What
would happen if you couldn’t get your database up or your school
records, or you couldn’t mail any of your customers or talk to
them?
There is also a whole series of myths that SMBs have,
including:
* “I’ve got a firewall so my network is secure.” No, a firewall
alone is not enough
* “All the bad guys are out there.” No, some of them may be inside
too.
* “I’ll solve my security problem with better technology.”
Technology alone isn’t enough - you need policies too.
* “I can’t afford to have someone chasing down all the latest
security patches.” But without patches, your data isn’t
secure.
* “There’s nothing of any real value on that system.” But what
happens if you need access to your database or customer contacts,
but you can’t access the data?
Coleman said a number of SMBs were taking corrective action,
getting an external company to test their systems, and make an
assessment of their information assets. Many have already
implemented firewalls, anti-spyware products and anti-virus
definitions, or even employed an outside specialist to keep their
patches up to date. The savvier companies are also ensuring that
they monitor their security both internally and externally.
Coleman highlighted the future likelihood of more SMBs buying in
services to help keep them secure - assessing their current
security posture, planning and building a security architecture,
and managing their security, acting as a first line of defence to
scan email and eliminate threats before they reach the network.
Question and answer session
What is the biggest threat to SMBs'
business?
Nick Coleman, head of security services at IBM: It depends on
your infrastructure, but both viruses and denial of service attacks
are equal threats, causing an outage in your business or damaging
your information or assets.
The number one threat to your business is your employees. They
are much more likely to give information away to people who want to
access your systems, such as passwords, especially for a financial
inducement. The way you counter that is through training and
effective policies
How much business budget should you spend on IT
security?
Jonathan Steel, chief executive of the Bathwick Group: How long
is a piece of string? The percentage of your IT budget spent on
security can be from 3% to 4% to 16% or 18%. It’s probably higher
in SMBs, because IT budgets are smaller, and so security percentage
is greater.
Pricing the business case for security is difficult. You have to
ask yourself the value of the business you’re trying to protect,
and put in mechanisms from a risk assessment point of view.
Companies need to know the value of their assets. You’re not
just putting security in – you’re doing it to protect the
business.
Are auditing tools and products too
expensive?
Coleman: You can build up quite a store of knowledge via the web
for nothing. There are also frameworks such as BS7799, which are
applicable for SMBs.
The CBI has put out an SMB guide, which is very useful. Contact
www.cbi.org.uk
What’s your advice on password policies?
Steel: Your strategy for passwords is that you should not have
recognisable words, but use combinations of numbers and letters.
Changing them regularly is a good plan, but you need to get the
balance right. Changing once a month is a good idea.
Coleman: People have too many passwords now. The current level
is around 21 per person, including personal numbers following the
introduction of Chip and Pin, so some use of single sign-on would
be an idea. Passwords need to be managed intelligently, so don’t
use your company name. Or David Beckham’s, which is also a popular
one.
What about security awareness and culture?
Coleman: Security awareness matters, even in a company of one,
never mind one of 50 people.
You are at risk, so apply common sense. Do your risk assessment
and then decide what security you need. You don’t need to spend
your entire IT budget on security, but you have to help everyone in
the organisation to use his or her common sense.
If you are a small company, you should worry about the
implications of data loss. Do you have information worth
protecting? What happens if your customer database isn’t
available?
What’s the best way to update security
patches?
Coleman: Do it the instant they are available, and have your
systems automatically set up to update everything - new patches,
new anti-virus definitions, which you may get once each day. You
need to do this immediately because once a security issue has been
identified, it is usually published as a vulnerability, and will be
exploited until that patch is available. Using service providers
can make the whole task easier.