Three security gurus speaking at IBM’s PartnerWorld 2006 conference said smaller businesses may actually be a more likely target than, say, IBM.
The reason, said Howard Schmidt, president and CEO of R&H Security Consulting LLC, is that password management is a challenge for small companies.
The fact they often use the same login names and passwords for multiple online accounts could be ammunition to hack the larger targets that partner with SMBs. In other words, if one login can be hacked, the rest would topple like dominos, said Schmidt.
Before joining Issaquah, Wash.-based R&H, Schmidt was chief cyber-security advisor for the White House, chief information security officer for eBay and co-founded Microsoft’s Trustworthy Computer Security Strategies Group.
Hacking an SMB doesn’t afford a hacker the same level of financial gain or infamy as a large target, said Matt Leonard, an erstwhile IBMer, now a fellow at the Ponemon Institute, a Michigan-based research firm. “But you can’t afford, as a small business, to take as many risks.”
SMBs may have to rely more on automated security solutions than their larger counterparts, said Leonard, because they often don’t have enough personnel to manage security effectively.
A problem large and small businesses face is that they are looking for perfect security solutions, said Dan Geer, vice-president and chief scientist at Verdasys, a security vendor based in Waltham, Mass. It is better to implement what you have rather than be frozen by indecision, said Geer, who also led the development arm of MIT’s Project Athena and has consulted for the U.S. Department of Defense.
Keeping a record of security procedures is a good way to start, especially for small business.
“Measure something, for heaven’s sake,” said Geer. “Even if you don’t believe the number. There’s lots of things you can measure. I don’t think we can improve unless we can keep score.”
By tracking the number of security incidents or the way patch management is handled among departments, a company can learn something about itself.
“Simple is a beautiful thing,” said Geer. “Even if the initial scores mean nothing to you, the trend analysis will.”
Two-factor authentication is gaining some currency as a means to thwart hackers. It’s a combination approach to security involving something you know, such as a password, and something you carry, like a token.
Early adopters include medical facilities and financial institutions, said Leonard.