Budget issues: The SMB dilemma

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com//budget-issues-the-smb-dilemma/article/334570/

Companies with fewer than 500 employees are used to running lean
operations. And, in most sectors, operations have only gotten leaner since
2008. Chances are, online security has not been a leading area of new
investment, underpinned by the justification that digital criminals are
only looking for the big score.

That kind of thinking can have its own implications for the bottom line,
according to industry observers, to say nothing of seriously negative
impacts on the reputation of small- and midsized businesses (SMBs) and
their relationship with customers whose information has been compromised.

"The days of SMBs flying under the radar are over," says Steve Schlarman,
GRC strategist with RSA, the security division of Hopkinton, Mass.-based
EMC.

"In this environment, you have to assume you are being attacked," says
Ashley Stephenson, CEO of Corero Network Security in Hudson, Mass. "SMBs
could be under attack without knowing it, or that slow response time on
their website might mean that they are being used for a reflective attack
on someone else."

He says that security is still nothing more than an afterthought for too
many companies. "A lot of companies are just not ready," he says. "It's not
an issue, unless you know you've been attacked."

And then, for many it's too late - extra costs to restore service are
incurred, and customer trust is lost.

Many SMBs never recover, says Jeff Davis, vice president of engineering at
Quarri Technologies in Austin, Texas, and the damage is not limited to
companies which have never invested in security, either. Some of those
struggling to recover, or still blithely doing business in denial, made
initial investments in security technology, but have not continued to
invest to stay current.

"SMBs are losing ground [to attackers] because every year there is more
stuff in the cloud and more types of devices accessing their networks,"
says Davis.

Andy Hubbard (right), senior security consultant at Chicago's Neohapsis,
which focuses on mobile and cloud security services, says a
'set-it-and-forget-it' attitude pervades a lot of smaller organizations.
"The majority of the IT spend is on equipment," he says. "Meanwhile, we see
a lot of 10-year-old policies and procedures still in place, and an overall
lack of security management."

There is consensus that the worst mistakes that can be made are not
understanding the full extent of digital assets, which might include
anything from critical intellectual property to human resource records, and
not knowing exactly where things reside on a network.

"Someone in every organization needs to know the overall landscape,
determine what's at risk and develop a strategy to protect it," says Davis.

He and others recommend making a member of the senior management team
responsible, and ensuring there is funding to put safeguards in place.

"Fundamental change occurs when your IT people report to the CFO," says
Eric Chiu, president and co-founder of Mountain View, Calif.-based HyTrust.
He says that IT departments are adept at looking for faster and cheaper
ways of getting a job done, something that resonates when the issue of
limited resources rules strategic planning.

"That mindset has to change," says Chiu, adding that security does not need
to be costly if companies implement strategies to safeguard essential data.
Frequently, solutions can be scaled to suit the size and budget of
organizations, and data and systems can be prioritized based on how
critical they are to the company and its stakeholders.

"You need to take a holistic approach," he says. "Look at everything,
assume that an attacker is already on your network and monitor all your
activity."

As he considers the prescriptive approach for SMBs, "holistic" is the word
that RSA's Schlarman also applies. "Understanding how data gets handled is
the key," he says. "It's easier to start with the physical network and its
entry points. That makes it easier to think about the virtual realm."

He adds that thinking like the enemy does not hurt, either, recommending
that organizations consider the worst things that could happen and ask
questions about where the security holes are.

"The bad guys are good at identifying those holes, so if you're only
focused on keeping the hordes of barbarians from the front door, the ninjas
can still be crawling in your windows."

It sounds like the ultimate no-brainer, says Kristine Briggs, Neohapsis'
vice president of operations, "but writing down everything concerning your
security risks and your potential response helps. Write it down, and really
discuss it seriously. If senior management and other parts of your company
are on a different page, it's a problem."

"I don't think companies should ever contract out their security strategy,"
she says. "And, regardless of what you decide to outsource, you have to
really apply due diligence. Even with the largest vendors, you can't make
assumptions that you're being protected adequately."

Eric Chiu agrees. "Fundamentally, you should keep security as an internal
function," he says. "Outsourcing will always be your least-cost option, but
you lose your oversight. A lot of suppliers will have no idea if you've
been attacked."

And, no matter how good they are, vendors can't think of everything, says
Schlarman. "Someone has to connect the dots among all the assets in your
network, and that should be you."

Only those actually running a business can grasp the true nature of what
could be at risk if a DDoS or other type of attack is successful. What
would the cost be in terms of reputation, service interruption or fraud?
Schlarman says that while SMBs can outsource some things, someone inside
the organization -- someone with fiscal responsibility -- must have oversight.

"If you do outsource, you have to really pay attention to your service
level agreements," he says. "Vendors can't, and won't think of everything.
When the cost of failure is this high, you can't afford to give up
accountability."

Well-run SMBs know how to balance control and outsourcing, concludes
Corero's Stephenson. "You have to know your own business and have total
oversight. Only after you're in that position can you really assess your
risks, understand the threats and be proactive about your security."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!