Security Panel: Small Business Computer Security Doesn't Have To Be Difficult or Expensive
Small and midsize businesses (SMBs) are increasingly targeted for hacker attacks because they’re such tempting victims. Most small business owners are too busy managing their operations to worry about computer security or to acquire the knowledge needed to provide it. Basic mistakes are made not because SMBs don't care about data breaches but because the security industry has done a poor job of making it easy and inexpensive for them to put the right preventions in place. Those were some of the points made by three panelists at May 15 IBM Midsize Business webinar entitled “Mid-Market in the Crosshairs: Why Cybercriminals Are Targeting Midsize Organizations and How to Foil Them.” The event examined the alarming growth in data breaches at midsize companies, which was dramatized by a recent Verizon report that found that more than two thirds of data breaches in 2011 occurred at companies of fewer than 100 employees. Panelists included Alan Shimel, founder and managing partner at The CISO Group; Alex Hutton, Director of Operational Risk Management at a U.S. financial institution, and Mike Murray, who’s in charge of advanced curriculum at The Hacker Academy and is also a managing partner of MAD Security, LLC.
The panelists didn't blame small businesses for neglecting security procedures. Rather, they said the security industry has overcomplicated the problem and failed to educate business owners about basic blocking and tackling. “Let's be blunt: Nobody really wants to spend money on information security,” said Murray. “It’s a cost to the business and it's up to us to find ways to make that cost as low as possible.” In reality, most computer criminals who attack small businesses aren't using advanced technology to do so. “These aren’t advanced attacks,” Shimel said. “It’s basically people jiggling knobs in the hallway.” The reason so many of those doors fly open is because small business owners don't take the basic steps to secure them. Shimel said he’s amazed how many computers he finds at client sites that are using passwords like “Welcome” and “123456.” Better access controls exist, but passwords will remain a central part of endpoint security for a long time. “People use them because they're easy," Murray said. A variety of automated solutions are available that generate and store secure passwords, but few people use them. “No one except a technologist wants to use a password management program,” Murray said. The panel went over 10 recommendations from the IBM X-Force 2011 Trend and Risk Report about basic steps all businesses can take to improve security:
1. Perform regular third party external and internal security audits
2. Control endpoints
3. Segment sensitive systems and information
4. Protect the network
5. Audit Web applications
6. Train end-users about phishing and spear phishing
7. Search for bad passwords
8. Integrate security into every project plan
9. Examine the policies of business partners
10. Have a solid incident response plan
These steps don’t require a big investment, but they do take time and awareness. Not all small businesses have poor security. Companies in regulated industries or that do business with the government have good security in place because they have to. The biggest risks are at companies like the corner pizza place, whose owner doesn't see a need for computer security because computers aren’t essential to the business. However, the back-room PC that handles credit card payments could unwittingly act as a tunnel into a credit card provider. “Operating system and infrastructure providers need to take more responsibility for educating small businesses so that they take responsibility,” said Hutton. “At this point it's way too expensive for many people to think about.” One solution the panelists all liked is outsourcing. Security-as-a-service providers now deliver full security suites remotely at a nominal monthly cost; however few small businesses are aware of them. Hosted services can eliminate the learning curve and provide world-class coverage. “You don't need to run an IT shop to have good security," Hutton said. “There’s plenty you can outsource.” Watch the archived webinar here.