SMB focus: DIY security is not enough

Spyware, worms and remote networks have made IT security a much more complicated problem for small businesses, explains Helen Beckett


Spyware, worms  and remote networks have made IT security a much more complicated problem for small businesses, explains Helen Beckett

Security is still prominent on the radar for the smaller business and many people who run small firms are realising that the growing complexity of keeping data safe needs expert attention. It is no longer a question of just keeping virus patches up to date and installing a firewall. The security-conscious now have to deal with remote networks and address new threats such as spyware.

Consequently, many small and medium-sized businesses, both those with dedicated IT resources and those without are looking outside the organisation for help.

Security was cited as the top IT initiative for 2006 by the IT managers and business proprietors who attended the Gartner Group's 2005 Midsize Enterprise Summit.

Spending on security by these US mid-market companies ranged from 5% to 10% of the overall IT budget. And according to Jim Browning, vice-president and research director at Gartner, the UK experience pretty much mimics the North American trend.

"Most small and medium businesses do a really good job of anti-virus on the desktop and put budget aside for firewalls," he said. "But they don't have the budget for a total security solution like their enterprise counterparts, and struggle to prioritise everything in between."

In particular, they struggle with spyware and intrusion prevention, said Browning. "We see about 10%-15% using managed security services, and frankly more SMBs should use them to keep the bad guys out."

Before 2001, the primary effect of viruses and malware was downtime for the infected device and the inconvenience of an overcrowded inbox. But worms, a more recent manifestation of malware, spread so quickly that they act as denial-of-service attacks against the entire network, inflicting more damage overall than viruses ever did.

Also, the outbreak of spyware in the past year or so has caused a host of fresh problems for SMBs that few have addressed properly.

While even the smallest business is pretty clued up about the dangers of viruses, many remain naive about spyware, said Paul Bodgers, technical operations manager of PC World Business. "We see more people about spyware than anti-virus now," he said, adding that they usually come for a cure because they have been already been affected, rather than for preventive purposes.

Planting software on a device after a user has clicked on a pop-up or visited a suspect site are the most usual routes of infection. And a user may remain oblivious for some time.

A lot of spyware simply redirects users to a website, but a more nefarious type copies keystrokes and can thus spy on user activity and steal passwords and data. Telltale signs include a homepage redirecting to a phoney site or a machine that runs slowly or crashes.

"Often the code is poorly written by a guy in the back bedroom," said Bodgers. "This sort of software may hog the processor and make a machine crash." Another problem is that the IT-illiterate often assume viruses and spyware are the same thing and so take no action to counteract the latter.

In this respect, they have been done no favours by the anti-virus suppliers, who have been slow to respond to the spyware threat, said Browning. "Suppliers are only just starting to integrate anti-spyware with their anti-virus service, and so businesses have had to go to another point provider [or not at all]. SMBs are pretty upset with these suppliers."

Gartner believes the increasing success of intrusion detection and prevention will be a catalyst for third-party providers to offer a managed security service that covers everything. Intrusion prevention entails monitoring network traffic for deviant packets and interpreting data, and so calls for specialist knowledge and equipment. "They can't do it themselves," said Browning.

Cisco's senior security adviser for UK and Ireland, Paul King, agrees. "If you see a bad packet and decide to drop it, you have to be 100% sure."

But he said that intrusion prevention on individual devices can be achieved more easily by having an intelligent agent sit on a PC and monitor its behaviour in particular contexts. For example, you would expect anti-virus software to scan every file on the disk, but you would not expect this from another application.

"At Cisco we promote the idea of the self-defending network and device, because no one can predict where an attack will come from," said King. The beauty of the PC intrusion protection software is that it can even be configured to prevent data being stolen on a USB port. "The user will get a pop-up screen asking whether they want to do the copy, and a tick will be registered for audit purposes."

This growing sophistication of security technology may be a good thing in the long run, because while security remains in the realm of do-it-yourself, SMBs may just be making themselves more vulnerable.

In any field, a little knowledge is deemed to be a dangerous thing, but this is particularly true of security, where the risks are greater. "Even with something basic like anti-virus software, enthusiasts may install it, click next, and think 'that's it'," said Bodgers.

The problem recurs throughout the security domain, as more complex devices call for a specialist knowledge that goes beyond the range of a competent IT manager.

Mark Gerhard, chief executive of IT security consultancy the Ministry of Data, said small businesses should keep things as simple as possible.

A "Rolls-Royce" firewall for the larger enterprise with a wide range of features may not be the best choice for the SMB, unless it has a lot of technical knowledge, he warned, instead recommending lower-end firewalls that come with a wizard designed to guide novices and intermediates through the installation process.

IT managers also frequently fall foul of the wireless technology that has been enthusiastically embraced by SMBs because of the low cost of entry. Unfortunately, said Gerhard, the inherent security issues are frequently overlooked by companies both large and small.

In Gerhard's experience, companies often spend time and money configuring their firewalls correctly and then install unsecured wireless networks or devices that put a hole in network security.

"It's the equivalent of spending a fortune on the perimeter fence and then digging a tunnel under it," he said.

The two main pitfalls of wireless are confusion about encryption strengths of different cipher standards, and lack of passwords, said Gerhard.

"Normally encryption scales to 'the power of', but with the Wired Equivalent Privacy (Wep) standard for wireless security, strength increases linearly." IT managers can easily be confused on this score and believe their encryption is much stronger than it actually is.

Second, said Gerhard, passwords are either negligible or non-existent on wireless networks, which are not segmented to reduce risk. IT needs to think about wireless networks in the same way it does about physical local area networks.

A customer-facing server, for example, would normally put in a "demilitarised" or buffer zone, so that in the event that it is compromised, back-office systems would remain protected.

The problem is exacerbated by the project-led approach to security. "A typical situation is to put wireless in by Monday because the chairman said so," said Gerhard. And the project-orientated nature of security remains a serious flaw. According to Browning, "In one organisation it's a server thing, or if e-mail has to be secured, then the e-mail guy does it."

It is quite natural that the rapid evolution of security threats means attention is focused on dealing with these technology "cures". However, as the Department of Trade and Industry emphasises, breaches of security are more likely to occur from within than without. According to the DTI's Information Security Breaches Survey 2004, nearly 25% of all companies surveyed reported that their staff had misused systems - twice as many as in 2002.

And most of these breaches are likely to be perpetrated through social engineering because it is easy to phone a helpdesk and ask for a "lost" or new password. "Small companies are immediately more susceptible because there is less likely to be a process than in larger companies, where the sheer number of people makes it harder to keep tabs on individuals," said Gerhard.

For this reason, it is crucial to have a security policy in place determining access to systems and behaviour around computer devices and networks. A sound policy sets boundaries, is a deterrent to calculated abuse and discourages sloppy practice that could inadvertently open up the network to malware.

Whether a company chooses to provision its security in-house on a DIY basis or outsource to a service provider, formulating a policy on safe ways to use computers and networks is a must. "Smaller companies have temporary contractors and casual labour too," warned Nick Coleman, head of security services for IBM. "People shouldn't regard it as a small issue just because it's on a smaller scale."

For those that don't have a larger partner or customer to nudge them, "If you don't write things down and choose not to do anything - that is policy in itself," said Coleman.


Case study: City West gets down to the details

Social housing provider City West Homes decided to call in outside specialists when it created a comprehensive security policy.

"It kept getting pushed to the back of the pile and it seemed that the only way to get it off the ground was to bring in consultants," said Nick Tutt, head of IT at City West Homes.

IT had a number of technical rules as well as guidelines for users in place.

However, undertaking security training for the IT staff, and in particular preparing for Information Systems Examination Board qualifications, run by the British Computer Society, raised awareness about the need to get a sound policy document in place.

"Just for the purposes of corporate governance, board members and auditors wanted to be assured that there was information security policy," said Tutt.

"We're at the point where we have detailed user policies drafted and we're just going through a consultation with contractors and third parties." HR has also recently become involved, although according to Tutt, it would have ideally been consulted at the outset.

Having a handbook that can be circulated among staff and which complements the contract of employment is a big bonus in battening down internal security, said Tutt.

"In any cases where we need to take disciplinary action, it makes it possible for HR to dismiss someone for breach of policy," he added.

Look out for the SMB Handbook

You don't have to be the biggest of companies to get the best from IT. On 14 March Computer Weekly will publish a 36-page handbook showing how SMBs can use IT to transform the company.

The SMB Handbook will look at the latest IT products and services; how to get the best from your IT budgets; how to calculate total cost of ownership and return on investment; and how to get the best deal from external suppliers.

Find out how SMBs can level the playing field when competing with the larger companies as well as their peers. It's all in The SMB Handbook: the essential guide to IT for SMBs.

The SMBHandbook will be distributed free to selected readers with the 14 March edition of Computer Weekly.

It also be available for free download from 14 March to all visitors to:


See also SMB focus: Safety in numbers


Read more on IT for small and medium-sized enterprises (SME)