Three security gurus speaking at IBM’s PartnerWorld 2006 conference said that small and mid-sized businesses may actually be a more likely target than, say, IBM. The reason, said Howard Schmidt, president and CEO of R&H Security Consulting LLC, is that password management is a challenge for small firms.
The fact that they often use the same login names and passwords for multiple online accounts could be ammunition to hack the larger targets that partner with SMBs. In other words, if one login can be hacked, the rest would topple like dominos, said Schmidt.
Before joining Issaquah, Wash.-based R&H, Schmidt was chief cyber-security advisor for the White House, chief information security officer for eBay and co-founded Microsoft’s Trustworthy Computer Security Strategies Group.
Hacking an SMB doesn’t afford a hacker the same level of financial gain or infamy as a large target, said Matt Leonard, an erstwhile IBMer, now a fellow at the Ponemon Institute. “But you can’t afford, as a small business, to take as many risks.”
SMBs may need to rely more on automated security solutions than their larger counterparts, added Leonard, because they often don’t have enough personnel to manage security effectively.
A problem that businesses, both large and small, face is that they are looking for perfect security solutions, said Dan Geer, vice-president and chief scientist at Verdasys, based in Waltham, Mass. It is better to implement what you have rather than be frozen by indecision, said Geer, adding a good way to start is to keep a record of security procedures.
“Measure something, for heaven’s sake. Even if you don’t believe the number. There’s lots of things you can measure. I don’t think we can improve unless we can keep score.”
By keep tracking of the number of security incidents or the way patch management is handled between departments, a company can learn something about itself.