It’s hard to keep track of the latest cyber-space threats, but that doesn’t mean you have to blindly throw more money into security. You may just require more knowledge, or to change some of your company policies.
But becoming smarter about security should start with determining risks specific to your organization and making employees aware of what they should and shouldn’t be doing. It doesn’t have to cost you an arm and a leg.
While most SMBs are aware of viruses and spam, newer threats include spyware (which covertly gathers user information), worms (which exploit software vulnerabilities) and bots (automated software that accesses and travels throughout a Web site). Phishing and pharming lure people into disclosing information such as passwords or credit card numbers through bogus e-mail messages. Spear phishing, the latest form, is much targeted — for example, it appears to come from the user’s company HR or IT department.
Security threats are becoming increasingly sophisticated and harder to detect. In many cases, employees are the weakest link, so your approach to security should include security awareness training for employees. Just throwing a firewall up isn’t going to cut it anymore.
The No. 1 threat is loss of data, such as intellectual property or client information, says James Quin, senior research analyst with London, Ont.-based Info-Tech Research Group. The easiest way to address any kind of security issue is through employee education and adherence to clear and established policies. But most SMBs don’t bother with one. Instead, they may put tools in place without fully understanding what they’re trying to protect.
Working with an expert in the field is one option, and though it may cost more up front, it could save you money down the road. These days, security audits are affordable for SMBs, Quin says, but it’s always better to have one performed by a third party, since others may have a vested interest in a certain outcome.
A new trend is the consolidation of security tools into unified threat devices providing firewall, intrusion detection, anti-virus and anti-spam tools all in one box, so you only have to maintain one tool. There’s no point having security tools if you don’t keep them up to date, says Quin. An all-in-one solution may not give you the five very best tools, but it’s better to have a second- or third-tier solution that’s up to date than a first-tier solution that’s not.
Many SMBs set up only one layer of security and think they’re safe, but that layer doesn’t protect them from other threats, such as spyware, says Claudiu Popa, president of Toronto’s Informatica Corp., which provides its Verify SnapShot security audit for SMBs. Rootkits, for example, provide a back door for hackers into a company’s network to collect information such as passwords and messaging traffic. They’re difficult to detect and they mask the fact that the system is compromised.
Another concern is anything that propagates across e-mail. Phishing expeditions, for example, are now being targeted at smaller firms, which may not be aware of what phishing actually is. “Lack of training is really a threat in itself because they’re not keeping up with emerging issues,” says Popa. A security audit can help you figure out what your risks are and how to maximize your security dollars, as opposed to relying on an out-of-the-box solution you hope will be pre-configured for your requirements.
Small businesses should also be concerned about unsecured connections to the network through virtual private networks (VPNs), says Alfred Huger, senior director of development with Symantec Security Response, where employees take their computer home and bring their dirty laundry back into the office. Make sure you have client security on any system employees might use to access the VPN.
Also, be cautious with Web hosting, whether hosting your own site or having an Internet service provider (ISP) host it for you, since malicious software can spread over Web sites. “Often that’s done by breaking into the Web site to place the malicious software there, so your site can become an unwitting hosting site and you don’t even know it,” Huger says. Make sure whomever you’re hosting with has stringent security policies; if you’re hosting it yourself, comb over that piece of your infrastructure for any vulnerabilities.
One of the biggest challenges SMBs face is keeping track of software vulnerabilities. “It’s like drinking from a fire hose,” says Huger. Consider a service that alerts you of any vulnerabilities in your software, but make sure that service provides alerts specific to your organization so you’re not bombarded with information.
Most importantly, keep your employees up-to-date to prevent them from becoming the weakest link. That won’t cost you a penny.
Contact the editor