|
Vendor Accent
Securing the smaller enterprise
 Understand
that security is an investment rather than an expense, says Ray Stanton,
Global Head of BT Security Practice.
It’s widely recognised among the IT security community that the larger
the organisation the higher up the agenda protecting information systems gets.
But with so many other calls on time and budget, how seriously do SMBs really
need to take their IT security? Surely there are far more attractive targets
out there whose networks are a far richer source of pickings for the criminally
minded?
SMBs tend to take a reactionary approach to secure their enterprises, which
is rather unfortunate. A company takes real interest in securing the enterprise
only after it has been hacked or faced a security breach. What is ironic is
that though security is considered one of the focus areas by SMBs, the investments
that flow into it are never commensurate with the initial interest levels. Perhaps
this has something to do with how ‘tangible’ the benefits look if
one invests in security systems.
Most SMBs seem to invest in plain-jane anti-virus solutions and firewalls for
the desktop rather than invest in fully-integrated security solutions for the
enterprise. However, we are already witnessing a paradigm shift in this area.
With security requirements becoming more complex, many small and medium enterprises
are lining up investments in vulnerability assessment systems, IDS, and what
not.
If data thieves and publicity-hungry hackers were the only security threat,
then this position might be justified. Unfortunately, threats like viruses,
trojan horses and malware are indiscriminate, attacking small and large organisations
alike. And one of the biggest risks that all companies face still comes from
staff error, regardless of the size of their employer.
Furthermore, legislation is tightening up, and there is no immunity clause for
SMBs. Many smaller companies hold valuable customer and personnel information
on their files, which falls under the remit of laws such as the Data Protection
and Human Rights Acts. These, and other regulations, place responsibility for
data security and compliance firmly in the hands of the firm’s senior executives.
The fact is that in the digital networked economy, IT security is not just an
issue for the big boys.
However, there are a number of hurdles that SMBs in particular need to overcome.
First of all, information security is not a one-off deployment of technology.
It requires monitoring and updating as circumstances change, and many SMBs do
not have sufficient resources to employ a full-time IT manager, never mind someone
dedicated solely to security.
- Get senior-level buy-in by convincing them of
the benefits of having security rather than the problems of not having
it.
- Investigate outsourcing your security provision
to a third-party specialist. This can often result in a higher level
of security at a lower cost.
- Carry out a thorough risk analysis before implementing
any security measures.
- Develop a business continuity plan—and
keep it updated.
- Educate your colleagues. Passwords, executable
files and downloaded malware can be some of the biggest threats for
SMBs.
- Keep all anti-virus software up-to-date.
- Install patches from all software providers.
- Take a holistic view of security. Securing your
network from intrusion is an important part of an overall security plan—but
don’t stop there. You should develop a comprehensive strategy that
takes into account issues such as network vulnerability, access control
and user security profile management, secure communication and data
privacy, electronic record retention and retrieval, and overall security
policies and planning within your enterprise.
- Don’t bury the organisation under endless
security measures; a little can go a long way.
- Don’t forget that security measures help
with corporate governance compliance, and that the law applies as much
to SMBs as to larger organisations.
- Don’t forget that adequate security can
enhance your reputation and grow your business.
|
Secondly, security is often seen as a prohibitively expensive cost centre,
and one that will remove all flexibility from the company. This perception is
made more acute by the third issue that SMBs face—the overwhelming volume
of security products, vendors and advisors now fighting for their business.
So where to start? The first job is to convince the board that security needs
to be a priority. Statistics from the DTI’s most recent information breaches
survey may persuade senior managers: three-quarters of all British businesses
suffered a security breach last year; the average company had one breach a month;
and the average cost of a small business’ worst breach was £10,000.
More effective is demonstrating that security is an investment rather than an
expense. The right security measures enable organisations to fully reap the
benefits of mobile working. They enable stronger, deeper relationships with
customers and partners. In the digital networked economy, good defences enhance
brand, reputation and trading ability.
Security does not have to be as expensive as many imagine. It’s not about
creating a virtual Fort Knox. Instead, it is about carefully assessing risks
and providing an appropriate response. Iris scanning and finger-prints sound
very exciting, but you may only need passwords that are implemented and used
effectively. An interesting trend that is being observed is that many SMBs are
implementing Wi-Fi-based security solutions. Though not difficult to implement,
the organisations face the challenge of cleverly integrating the cluttered Wi-Fi
networks that will actually further the cause of securing the companies. Installations
based on SES (SecureEasySetup)—a standards-based protocol that is compatible
with any Wi-Fi-certified device—are increasingly finding favour with the
small and medium enterprises. With SES, users push either a hardware-based or
software-based SES button on a client device, which negotiates a secure, encrypted
tunnel between the access point and the client device.
A risk-based approach will generate a different list of priorities for each
organisation. However, there is a basic minimum that all companies should have.
Firstly, as viruses still represent a major threat for all organisations, any
business that has an Internet connection needs a regularly updated anti-virus
solution and firewall protection.
Business continuity is the second must-have for SMBs as it enables compliance
with certain corporate governance regulations. More than that, it enhances reputation
and keeps the company in line for contracts where responsibility for business
continuity cascades down the supply chain.
A recent study by the Britain’s Business Continuity Institute identified
that 80 percent of organisations which suffered a critical data loss went out
of business within 13 months. Even before the Sarbanes-Oxley Act came into effect
in 2004, five Wall Street firms had been fined a total of $8.25 million for
violating SEC rules that require ‘business-as-such’ e-mail to be preserved
for three years.
Finally, establishing effective security policies and holding regular training
sessions can protect against the weakest link of all—people. Preventing
staff from opening unrecognised e-mail attachments, or stopping them from leaving
their passwords taped to the monitor, can be two of the most cost-effective
security measures around.
But if all this sounds too much for the average SMB to deal with in-house, a
selection of security vendors have developed managed security services that
are specifically designed for smaller organisations.
The author may be contacted at ray.stanton@bt.com
|
