Security tips for surviving the credit crunch

When budgets get tight, security experts will need to have smarter, more efficient ways of maintaining defences.

So far in the credit crunch, security budgets have held up surprisingly well, but as organisations start to question every penny they spend, even security departments will be asked to look at how they can do more for less.

To help provide a few ideas, took soundings from a range of people in the market to get their suggestions on how to make budgets stretch a little bit further. Here is a summary of what they said:

Review contracts and suppliers
Many companies tend to stick with their suppliers year to year, but with the crunch, they should review contracts and the prices they pay.

Don't miss need-to-know info!

Security pros can't afford to be the last to know. Sign up for email updates from and you'll never be behind the curve!
Matthew Tyler, a director at the London consultancy Evolution Security Systems Ltd., says software licence renewals offer a great opportunity to cut costs. "Take maintenance of Microsoft licences, for example. The third-party distributor doesn't add any value; it is just a conduit. What it charges should be cost plus 5%, whereas most are charging cost plus 15% to 20%," he said. "If they won't budge, then talk to other distributors. There is a recession on, and they need your business."

Also, look at the number of licences you have, Tyler said. "We have found without fail that companies are either over-licensed, or have not licensed in the most effective way. We find that 10% to 20% can be slashed off that instantly, through correct licensing and haggling with the suppliers."

It may also be a good time to rationalise suppliers and provide more business to the suppliers who give a good service. "Tell the good partners you'd like them to take over the other products from the bad suppliers," Tyler said. "Stick with the suppliers who help you, and not with the ones who have just been invoicing for licences."

Stop wasting time
In the good times, employers may have given employees leeway to surf the Web, carry on instant messaging conversations with friends, maintain their Facebook presence, and clog up the corporate network with their iTunes downloads.

Now could be a good time to review policies regarding personal use of systems at work. They can damage productivity, as well as introduce potential security problems, especially since public IM systems allow users to attach huge files that would not get through the email architecture.

"It's a good time to beef up your Web security and staff productivity," said Ian Kilpatrick, chairman of distributors Wick Hill Group plc. "List-based Web content security tools don't provide very effective control against proxy anonymisers, and it is easy to quickly set up proxies to avoid the controls. Consider moving to solutions that securely manage this productivity waste and security risk."

His advice is also to close down those applications that lie outside the browser, such as P2P, streaming media and IM. "These are all areas that many organisations have ignored. Not only do they represent a significant risk, they are also extremely high cost in staff time wasted."

Consider UTM
Unified threat management appliances were once confined to small companies or small branches of large companies where there were few, if any, security specialists on hand. Being virtually plug-and-play, UTM appliances require little attention and are remotely updated by the system provider. They combine several functions, including antivirus, antispam and firewall, as well as features like intrusion prevention, VPN and antispyware.

Centralised reporting and management reduces administration and management time, compared with running separate products. UTMs also save on rack space and air conditioning costs.

So why isn't everyone using them? Many large companies claim their Web and email traffic is too high to be routed through a single device, and only dedicated products will suffice. But with processors' speeds growing, UTM appliances are increasingly capable of handling the workload.

Increasing security with a decreasing budget

Michael Cobb explains why there's still room for information security innovation during a recession.
Vendors of appliances report that much of the resistance to UTMs comes from company politics and IT staff wanting to protect their territory. In addition, larger companies tend to have different teams handling different aspects of the IT infrastructure, such as network security and content security, and that will also keep them from adopting a single product, according to Yuval Ben-Itzhak, CTO at security company Finjan Inc. "Because of this organizational structure, each of these groups wants to manage their own products. As you go higher, you see more dedicated solutions. And when you reach 3000 users, that often splits further into the email, Web and network security groups," he said. "Politics also play a part in this, especially in larger companies, which we as a vendor know very well."

Deploy encryption
Encryption will involve some up-front extra investment, but remember that the cost of cleaning up after an incident is a lot higher. Make sure to think about key management, too -- you don't want people forgetting passwords and then being locked out of their data.

Get smart about compliance
Regardless of the recession, your organisation will still need to comply with legislation and regulations -- and the fines for non-compliance are getting stiffer.

But try to reduce duplication of effort by integrating compliance programmes.

Evolution's Matthew Tyler, who advises on compliance, said that too many companies adopt a fragmented approach to compliance. "At the moment, teams of different people get assigned to complying with PCI, Basel, DPA and so on," he said. "You are never going to eliminate all duplication of effort in companies. But you can take a holistic view of compliance. Start by looking at what you need to comply to, then how do we go about doing it."

Tyler makes the point that most of the relevant regulations share three main principles:

  • Do you have a minimum level of corporate governance in your organisation? Do you tell your staff how to deal with sensitive information?
  • Have you taken steps to secure that information?
  • And have you restricted access to it?

By pulling together all the regulations that must be complied with, there will be a clear overlap -- regarding strong passwords or encryption of personal data, for example -- and customers can then develop a set of requirements that satisfy all the mandates.

"You can then use the same services for a number of projects. For example, ISO 17799, DPA and PCI all require penetration tests. So do the tests once and that will cover you for multiple regulations," he said. "What tends to happen is that different departments go out and commission tests on their own without any joined-up thinking."

User authentication
If you are still using security tokens, you could save money by moving to a less expensive approach. Tokens require a high overhead in terms of deployment and management; they can be lost, and need to be replaced when their batteries wear out.

Consider other ways of doing two-factor authentication, for example through SMS messages to the user's mobile phone, or through pattern-based systems, where the user receives a grid of numbers, and picks out the numbers that accord with a pre-agreed secret pattern. Jonathan Craymer, chairman of Gridsure Ltd., which is developing such a system, says that a 5 by 5 grid allows for nearly 10 million combinations of a 5-digit pass code.

Also, reconsider biometric authentication. For instance, many laptops now have thumb-print readers, as do some USB devices.

Thin client
The capacity of today's USB sticks has topped 1 Gb, more than enough to accommodate a complete computer system. Some companies are now taking advantage of this power to create secure locked-down systems that can be used in conjunction with any Internet-connected terminal -- without running into the usual problems of working from an Internet café, for example.

One example is the Trusted Client device from U.K. company Becrypt Ltd. Designed for users who may need to work out of the office or from home, it costs £50 and creates a secure encrypted environment on the host PC, using only the PC memory and processor and bypassing the hard drive. It prevents data from leaking into the host PC and any viruses from getting on to the network -- it also costs a lot less than supplying staff with laptops.

It is also possible, but perhaps less secure, to create a complete PC on a stick from scratch, using open source software from sites such as Download Linux, Firefox and Sun's OpenOffice suite, plus a couple more utilities for file transfer, and you'll have a device that will be immune to Windows-based malware as well as enable staff to work remotely at virtually no cost.

Organisations build up a variety of solutions to one-off problems. Now is an opportunity to look at what you have and see what could be discarded.

Stuart Okin, recently appointed managing director of Comsec Consulting U.K., describes the credit crunch as "a great opportunity" for security people to consolidate areas of security and show they can manage costs.

He cites three areas of big potential savings:

  • Identity and access management: "In most organisations you will find multiple directories and multiple versions of the truth, run by different departments and different systems," he said. "For instance, a company may have several IAM solutions -- Active Directory for Windows-based systems, maybe an LDAP directory for the ERP system, another for HR, and so on."

    Use a metadirectory approach to bring together information about users and their roles and provide a single version of the truth. This consolidation can then bring down the number of tools used, and the number of people needed to run it.
    He adds that better IAM allows companies to take better control of software licensing -- they know who is using what -- and that can also lead to savings.

  • Reduce firewalls: Okin says many firewalls are installed to respond to one-off incidents. This can result in multiple tiers of firewalls performing the same actions with the same ports open, he said. Now is a good time to examine all firewalls, IDS and IPS, and ask which are really needed. "Also examine whether networks still need to be segmented to the same extent. We have externalised so much to partners, so some of the segmentation may not be needed, and so security control can be consolidated."
  • Build security into the software lifecycle: "Each time a new project is kicked off, security often gets bolted in around the test phase. So when you do pen testing, it throws up lots of errors. It's better to have the security development lifecycle running through all of the programs."

    Okin adds that Comsec has seen hundred-fold cost savings by implementing security through the lifecycle rather than waiting until the end of the penetration test. "If you can replicate that across all projects, then there are huge amounts of savings to be made," he said.

And finally …user training
A good security policy, backed up with good training and regular awareness programmes, is cheap to produce and will pay dividends. If anyone objects to the price of education, remind them that ignorance costs a lot more.

Read more on Security policy and user awareness