LAS VEGAS – Being one of the little guys will not insulate you from security concerns.
Three security gurus speaking at IBM’s PartnerWorld 2006 conference said that smaller businesses may actually be a more likely target than, say, IBM. The reason, said Howard Schmidt, president and CEO of R&H Security Consulting LLC, is that password management is a challenge for small companies.
The fact that they often use the same login names and passwords for multiple online accounts could be ammunition to hack the larger targets that partner with SMBs. In other words, if one login can be hacked, the rest would topple like dominos, said Schmidt.
Before joining Issaquah, Wash.-based R&H, Schmidt was chief cyber-security advisor for the White House, chief information security officer for eBay and co-founded Microsoft’s Trustworthy Computer Security Strategies Group.
Hacking an SMB doesn’t afford a hacker the same level of financial gain or infamy as a large target, said Matt Leonard, an erstwhile IBMer, now a fellow at the Ponemon Institute. “But you can’t afford, as a small business, to take as many risks.”
SMBs may need to rely more on automated security solutions than their larger counterparts, added Leonard, because they often don’t have enough personnel to manage security effectively.
A problem that businesses, both large and small, face is that they are looking for perfect security solutions, said Dan Geer, vice-president and chief scientist at Verdasys, based in Waltham, Mass. It is better to implement what you have rather than be frozen by indecision, said Geer, who also led the development arm of MIT’s Project Athena and has consulted for the U.S. Department of Defense and the Commonwealth of Massachusetts.
Keeping a record of security procedures is a good way to start, especially for small businesses, said Geer. “Measure something, for heaven’s sake. Even if you don’t believe the number. There’s lots of things you can measure. I don’t think we can improve unless we can keep score.”
By keep tracking of the number of security incidents or the way patch management is handled between departments, a company can learn something about itself. “Simple is a beautiful thing,” said Geer. “Even if the initial scores mean nothing to you, the trend analysis will.”
Two-factor authentication is gaining some currency as a means to thwart hackers. It’s a combination approach to security involving something you know, like a password, and something you carry, like a token.
Early adopters include medical facilities and financial institutions, said Leonard.
It’s generally effective but can be unwieldy, he said. The problem is that people may have to own as many security tokens as they do passwords, meaning they could start to accumulate like keys on a keychain.
A solution, said Schmidt, would be to issue a token that’s akin to an ATM card – something that can be used in multiple locations. It would also be safer to carry around, since its value is tied to a PIN number, not the item itself.
Geer agreed that two-factor is still an imperfect process. “Two-factor is expensive, it’s hard to do right. You can easily drive up your cost of authentication systems by distributing tokens.”
It’s unlikely that SMBs will ever adopt token-based based security systems, said Leonard. By the time two-tier security filters down to small companies, other options should be available. Biometrics are a possibility, he said, and are already available for personal devices. In 2004, for example, IBM introduced a ThinkPad T42 laptop that requires a fingerprint identification. (IBM sold its PC business to China’s Lenovo later that same year.)
Stuart McIrvine, IBM’s director of corporate security strategy, said that Big Blue is a participant in the emerging two-factor security market. The company is working with corporate partners like VeriSign and RSA to develop infrastructure than can integrate the physical piece of two-factor with the network piece.
Earlier this week, IBM introduced an Express Managed Security Services package for the SMB market – a 24/7 managed Web monitoring service designed to detect suspicious network activity.
IBM PartnerWorld 2006 concluded on Wednesday.
Comment: [email protected]ess.ca