InfoSecurity India's First Magazine on Comprehensive IT Security
Menu Bar
InfoSecurity May 2010
SMB Security

Protecting SMBs from Security Threats

Small and medium-size business companies do not have the luxury of large MNCs’ of investing millions of dollars for security solutions. But with small budgets, securing business information is equally important for SMBs’. This article discusses the best ways to secure the small and midsize business from malicious activities.

Unlike large enterprises, which typically hire IT professionals who specialize in one particular security discipline, the security role at smaller companies often requires someone who can play "security jack of all trades." This rough-and-ready approach necessitates maximizing security automation and prioritizing top threats, so a small team can truly and effectively risk-manage security for an entire organization, perhaps part-time.

And unlike large enterprises, small and midsize businesses have relatively few employees devoted to information security; many rely entirely on consultants or vendors. The average small and midsize business also devotes far fewer resources to staying secure. So the question is - what's the best way to secure your small or midsize business?

Given the volume of threats, as well as the scarcity of available time, resources, and on-hand security professionals, small and midsize businesses need an action plan. A plan that outlines which security risks they should focus on today, using existing personnel, time, and resources to mitigate the maximum number of threats.

Here we share the top 10 tips for a faster, cheaper, yet more controlled security program:

1. Target Malware With Automated Defenses

The first line of defense for small and midsize businesses is blocking and eliminating viruses, worms, spyware, and other malware, including Trojan downloaders and keystroke loggers, both on endpoints and at the gateway. Accordingly, deploy anti-malware and filtering software for all e-mail gateways, to prevent malware and spam (which often carries malware) from ever reaching users' PCs. To handle this, many small and midsize companies purchase a so-called unified threat management appliance, which runs multiple security technologies on one device.

Gateway defenses alone, however, will be inadequate. Be sure to install antivirus (aka anti-malware) suites on every laptop, desktop, server, and, preferably, mobile device. Such suites typically also include a personal firewall and host-based intrusion prevention. The advantage of a single suite, as with a single appliance, is easier manageability and updating.

Use administrative rights on PCs to prevent users from tweaking their security suites, so employees can't just turn off the firewall if IM isn't working. One can also use this common most anti-malware technique: Turn all PCs off at night. Not only will this prevent off-hours exploits, but then when users reboot, the operating system can start over and scan for anything that might be malicious that got in there.

2. Patch Your Vulnerabilities, Fast

An effective security program requires keeping operating systems and applications patched, because otherwise you'll probably defeat all your other mechanisms. The goal then is to patch PCs and servers expeditiously.

An effective patch plan, however, requires choosing the right patching software. You can't fix everything; you have to be practical. Accordingly, choose an external resource to determine which vulnerabilities to patch, and in what order.

3. Passwords: Say No to "Fluffy"

So much access today still comes down to passwords. Accordingly, make sure employees use effective passwords, and where possible, use multifactor authentication technology. Because believe it or not, employees in small businesses especially will use their names as logins and passwords, which is not very hard for a hacker or online identify thief to figure out. Indeed, dictionary attacks and automated attacks which rapidly use thousands of known words to guess a password may chew through such permutations in minutes.

Here's a handy solution: Teach users to avoid using actual words, and instead to use the first letter from each word of a long sentence they memorize.

4. Define "Good Behavior"

What's acceptable behavior? While you may know it when you see it, companies can't expect to easily enforce it, operationally or legally speaking, unless they've codified it in writing.

Enter security policies and procedures. Users will do careless things, and you have to have policies that you're able to enforce, to at least curb some of the deliberate things users will do. Indeed, procedures tell employees what is required (changing passwords every 30 days), or prohibited (viewing malicious websites).

Setting policies doesn't have to be expensive, time-consuming, or difficult. Train employees on security policies, make them accessible by storing them in a prominent location on a shared network drive or the intranet, and revisit them regularly. Finally, treat policies as CliffsNotes, checklists and cheat sheets - for negotiating feature sets and service-level agreements with consultants, outsourcers, and software vendors.

5. Use Application Specific Softwares

To really maximize security in a minimal amount of time, as part of the "acceptable use" policy, prohibit users from installing unauthorized software on PCs. Then enforce and ensure you're only running the software required for the business to function properly.

This simpler-is-better approach improves security and saves time because third-party software is more prone to harbor malware, and create security holes - and it requires additional time to patch. In addition, if the PC gets infected with malware it is notoriously difficult to eradicate. It's much faster to wipe and rebuild a PC using a standard disk image build, without having to install additional applications.

6. Don't Panic, Plan

If something goes wrong in a security sense - the question to be asked is - will employees know what to do? When there isn't an IT person on staff 24 hours per day, as is typical in many small and midsize businesses, people need a response process, at least from a coordination and communication perspective. This requires time for planning and thinking ahead, admittedly a rare security luxury in the typical small and midsize business. Even so, have an emergency response plan. Anticipate a successful attack, and know what to do about it when it does happen. In particular, who should employees call if their security software says they've been infected with malware.

7. Backup is a Virtue

Theft, natural calamities like storms, earthquake, hard drive failure, electrical fires, malware are common to all establishments. None of the mentioned reasons matters to data integrity, provided the data's been backed up. Of course while everyone knows they should back up, few do. Accordingly, it's up to IT to safeguard corporate data.

Consider deploying automated backup software, and ensure the resulting backups are not stored on-site, to guard against physical disasters. Or for greater automation and ease of use, though not always a lower price - employ an automated online backup service.

8. Auditing: Watch the Watchers

If the antivirus screams, and there's no one around to hear it, is it really a virus? You have to audit your logs, and understand, am I being attacked? Because if your IDS is saying I'm deflecting all this malware, then you want to know, because attacks will shift until attackers get in.

Even for small and midsize businesses without an intrusion detection system, still study antivirus logs to monitor top attacks and also keep an eye on basic server security settings. Hackers will change security setting to make it easier to come back, and noticing there is a security setting change is often your first indication of an attack.

9. Security Education on a Budget: Get Creative

At all companies, effective security requires paying attention to people, processes, and technology. But often the people aspect of security is ignored. To address that, maintain a security awareness program. A good starting point is a short training course for all new employees, to communicate the basics. The help desk will never ask for a password; beware free Wi-Fi hotspots since someone can "listen in" on all communications; using a hotel PC or airport kiosk typically leaves a copy of all data and attachments behind; and never open any suspicious-looking e-mail attachments.

Ongoing education doesn't have to be expensive. Consider approaching the subject of security in a humorous yet thorough manner. Teach users that today's top attacks typically aren't perpetrated by some "game over" exploits onto beleaguered PC screens. Rather, today’s hackers can completely shutdown vast networks spread across the states.

10. Encryption: Set It and Forget It

What's the best way to protect information on lost or stolen endpoints from being misused? Consider full-disk encryption software, which renders hard drive data illegible to anyone who doesn't have proper authorization. Laptops go missing all the time, laptops get stolen, and the last thing you want is to not have the person who steals that laptop sell that customer information on the Internet.

—By: R. Manoj, The author is an Assistant Editor at Fanatic Media, Bangalore. He is also an Independent Researcher, specializing in Systems Security. He has an active interest in designing security algorithms for securing mission critical systems. He can reached at infosecurity@fanaticmedia.com


Home   |   Current Issue   |   Archives   |   Subscription   |   Advertisement   |   Contacts

© 2006-07 'InfoSecurity' magazine. All rights reserved.
Website designed, developed and maintained by Fanatic Media