Data security for SMBs
Hardly a day goes by without businesses facing some sort of security threat. It’s a big enough issue for larger companies, given their greater knowledge and resources. But it’s far worse for small- to medium-sized businesses (SMBs), who in many cases are not aware of the risks, usually because they’re just so busy with day-to-day operations.
Recent research from Computer Weekly displayed some alarming trends regarding the security worthiness of SMBs in the UK: only 18% reported never being hacked or attacked.
The ramifications for any company whose defences are breached electronically are bad. It’s not only the potential delay in business, but also loss of reputation that can take a company under. Put simply, a successful attack could stop your company from operating.
With the help of Jonathan Steel, chief executive of the Bathwick Group, a specialist security and IT consultancy; and Nick Coleman, head of security services at IBM; the recent ComputerWeekly.com webinar – Data security for SMBs – outlined what technological solutions and services are available to address threats and vulnerabilities, and what is needed to adopt a security awareness culture within SMBs.
The analyst’s view
In his presentation, Steel outlined the problems for SMBs, giving a sense of the threats they face, and what they can do about it.
While 82% of companies have been attacked in the UK, it’s even worse in the US, where two years ago, the FBI found 90% of companies had faced a threat. And, he warned, the threat is growing, affecting all companies. It’s not just script kiddies looking to make a name for themselves, but organised crime that is heavily involved in security,
Dealing with security, he suggested, is like buying insurance. You get it, hoping you won’t need to use it. But it’s still an expense, which makes it a tough sell for business managers internally.
The threat facing SMBs is actually growing because as larger companies become more security savvy, attackers are now targeting their threats further down the food chain, at those organisations that may be less well protected – SMBs.
Most people tend to think of security risks as coming from the outside. But more than half the threats reported are generated internally, where someone’s already on the inside of the barriers and fences put up by companies. In an example from India last year, someone at a bank simply loaded 20,000 cardholder details onto a CD, and then sold the CD.
Another internal worry is the issue of hardware loss - many laptops are left in taxis, or are stolen to order. Too many companies also fail to have a back-up routine for their data and if they do have a routine, they fail to test that restore regularly.
Distributed denial of service (DDoS) attacks are the threat that most organisations are aware of, and these are up 50% year on year. The other main threat comes from malware, which comprises viruses, Trojans, worms, keyloggers and spyware. These pieces of software are all designed to enable an outsider to spy on or gain access to company systems.
Steel went on to discuss pharming and phishing. In pharming, a hacker accesses directory services at an internet service provider or a company, so that when you try to go to a particular website, you’re actually sent to a different, spoofed one, which is going to collect your details.
Phishing is where you may receive an email from someone promising you money, if only you’d give them your bank details and a deposit! A variation, called spear-phishing, is where you may receive an email from an individual or department within your company who you’d probably trust, such as Human Resources. One in 300 emails sent worldwide in 2005 was a phishing email.
Another ongoing threat, botnets, involves taking over control of your PC to launch a range of attacks, possibly through spyware or phishing. An alternative lower-tech version, calling up, involves someone you trust apparently calling you on the phone, and you handing over all your details.
When it comes to protection, there are four main areas you need to guard – servers, networks, individual machines, and users themselves. You also need to protect against individual users who themselves may be targeting systems.
There are four main ways to thwart trouble, and they are the four Ps: protection of software, physical protection, policies and patches.
Protection of software involves the by-now familiar use of anti-virus software and firewalls. Proxy servers can also provide a demilitarised zone where a server outside your firewall handles all control in and out of the company.
Physical protection involves how you can protect against people breaking into the office and stealing computers or servers. All the software in the world won’t be any use if the server gets stolen. Biometrics can provide an additional security layer, where a laptop will only be usable with the right thumbprint or fingerprint.
Policies are particularly important, and this is often where security falls down. Many companies either fail to have any policies for data security or fail to keep those policies up to date. For example, it’s important to have policies about how you handle back-ups, employee usage and access, while you also need policies for passwords.
If you let people choose their own passwords, then the average competent hacker will be able to guess them, or run an automatic program that will crack them, in seconds. It makes much more sense to use a combination of numbers and letters. Two-thirds of users will never change their passwords unless forced to while, incredibly, some departments will even put a password for the day/week/month on a whiteboard.
The fourth P – patches – are increasingly important, because there is no point having the right software if you don’t have the appropriate security patches in place to keep that software up to date, so that any holes or vulnerabilities have been filled.
Security is a continuously moving target, and even if it may be a challenge, you have to be able to sell it internally, and keep policies up to date.
The technologist’s view
Coleman believes SMBs need to take action to defend themselves against increasingly sophisticated threats. Last year the number of virus attacks went down, but they were more targeted.
While threats have become more sophisticated, our dependence on IT has grown, and everyone’s expectations have grown too. What would happen if you couldn’t get your database up or your school records, or you couldn’t mail any of your customers or talk to them?
There is also a whole series of myths that SMBs have, including:
* “I’ve got a firewall so my network is secure.” No, a firewall alone is not enough
* “All the bad guys are out there.” No, some of them may be inside too.
* “I’ll solve my security problem with better technology.” Technology alone isn’t enough - you need policies too.
* “I can’t afford to have someone chasing down all the latest security patches.” But without patches, your data isn’t secure.
* “There’s nothing of any real value on that system.” But what happens if you need access to your database or customer contacts, but you can’t access the data?
Coleman said a number of SMBs were taking corrective action, getting an external company to test their systems, and make an assessment of their information assets. Many have already implemented firewalls, anti-spyware products and anti-virus definitions, or even employed an outside specialist to keep their patches up to date. The savvier companies are also ensuring that they monitor their security both internally and externally.
Coleman highlighted the future likelihood of more SMBs buying in services to help keep them secure - assessing their current security posture, planning and building a security architecture, and managing their security, acting as a first line of defence to scan email and eliminate threats before they reach the network.
Question and answer session
What is the biggest threat to SMBs' business?
Nick Coleman, head of security services at IBM: It depends on your infrastructure, but both viruses and denial of service attacks are equal threats, causing an outage in your business or damaging your information or assets.
The number one threat to your business is your employees. They are much more likely to give information away to people who want to access your systems, such as passwords, especially for a financial inducement. The way you counter that is through training and effective policies
How much business budget should you spend on IT security?
Jonathan Steel, chief executive of the Bathwick Group: How long is a piece of string? The percentage of your IT budget spent on security can be from 3% to 4% to 16% or 18%. It’s probably higher in SMBs, because IT budgets are smaller, and so security percentage is greater.
Pricing the business case for security is difficult. You have to ask yourself the value of the business you’re trying to protect, and put in mechanisms from a risk assessment point of view.
Companies need to know the value of their assets. You’re not just putting security in – you’re doing it to protect the business.
Are auditing tools and products too expensive?
Coleman: You can build up quite a store of knowledge via the web for nothing. There are also frameworks such as BS7799, which are applicable for SMBs.
The CBI has put out an SMB guide, which is very useful. Contact www.cbi.org.uk
What’s your advice on password policies?
Steel: Your strategy for passwords is that you should not have recognisable words, but use combinations of numbers and letters. Changing them regularly is a good plan, but you need to get the balance right. Changing once a month is a good idea.
Coleman: People have too many passwords now. The current level is around 21 per person, including personal numbers following the introduction of Chip and Pin, so some use of single sign-on would be an idea. Passwords need to be managed intelligently, so don’t use your company name. Or David Beckham’s, which is also a popular one.
What about security awareness and culture?
Coleman: Security awareness matters, even in a company of one, never mind one of 50 people.
You are at risk, so apply common sense. Do your risk assessment and then decide what security you need. You don’t need to spend your entire IT budget on security, but you have to help everyone in the organisation to use his or her common sense.
If you are a small company, you should worry about the implications of data loss. Do you have information worth protecting? What happens if your customer database isn’t available?
What’s the best way to update security patches?
Coleman: Do it the instant they are available, and have your systems automatically set up to update everything - new patches, new anti-virus definitions, which you may get once each day. You need to do this immediately because once a security issue has been identified, it is usually published as a vulnerability, and will be exploited until that patch is available. Using service providers can make the whole task easier.