The catch-phrase “wearing many hats” only begins to convey the challenges faced by IT security professionals charged with overseeing network systems and informational assets at small-to-medium-sized enterprises (SMEs).
Yes, they handle multiple jobs, unlike many of their counterparts at larger enterprises. But that's not the only difference between the two environments.
The staff at smaller enterprises can, for instance, find themselves dealing with unsophisticated users who simply refuse to grasp the importance of security. These employees can often continue to do ill-informed things even after downloading malicious software. And the beleagured IT staff can't find easy-to-deploy products suitable for semi-technical personnel.
And don't get SME IT pros talking about their relationships with the big security vendors. It often just doesn't exist. No, working in an SME's security department isn't for the faint of heart.
Consider the case of Jose Cruz, the network administrator at Nanette Lepore, a New York City-based women's fashion designer/manufacturer. Among his other network tasks, Cruz was challenged with placating potential investors who were worried about protecting the intellectual property at his couture chain. His response was to embed security into the mindset of the company's workers while restructuring the network they use.
When Cruz joined Nanette Lepore in February 2007, the company's networking infrastructure was a real mess, he says.
“The firewalls were consumer-grade at best, and some databases with product designs had public IP addresses and were wide open to the world,” he says.
Moreover, the company's employees could log onto virtually any resource they wanted without authorization. That level of employee access worked when the company was under the radar and relatively unknown, Cruz says. But after a group of investors showed interest in helping the company expand outside of its New York City headquarters, the investors wanted to see stronger security in place, he explains.
For Cruz, that meant rebuilding the network at every level on an OSI (open systems interconnection) model. This included installing switches and routers and a variety of security products from SonicWALL, as well as deploying Active Directory for authenticating both Macintosh and PC users, he says. It also meant convincing the company's employees that securing data on file servers and authenticating themselves was critical to succeeding in the competitive fashion industry.
Cruz eased the company's 100 employees into a security mindset by first migrating the network from a POP3-based email system to an Exchange Server that required users to login.
“They got used to it, and having collaboration and the ability to setup appointments was a plus for them,” he says.
Still, Cruz's main security challenge was putting policies in place, he confides.
“Some would say that is simple, but it's not when you had nothing to begin with and you're working with people who've never done it before,” he says.
Who are you?
Just acquiring enterprise-level security products can be a challenge for SMEs, according to George Betancourt, the IT and lead security official at Payformance Corp. His 125-employee company provides online payment/settlement services – via the application service provider (ASP) model – to health insurance companies and health care providers.
“We don't have the name recognition that some of the large companies have. We find we have to setup strong partnerships with resellers.”
Value-added resellers (VARs) – such as Insight.com and Acquity – benefit the Jacksonville, Fla.-based company in several ways, Betancourt says. “They can be advocates for us and tell us, ‘here is the right product right now',” he explains.
Resellers also help Payformance's security staff setup product demonstrations with the major security vendors, and get good products in the door at reasonable prices, he says.
“It all comes down to money. The big companies do not make much of a profit on the small number of licenses sold to SMEs,” he says.
Finding security products appropriate for an SME is one of the main issues facing Aaron Laskowski, a senior systems engineer with Aegis Soft, a developer of an equity options trading software for financial companies. He says he must scour the market for security products that he and his team of network administrators can use at the 100-employee company without dealing with major deployment and operational problems.
“Many of the products that large enterprises use don't apply to small companies. They have advanced systems for compliance monitoring and Federal Trade Commission regulations that do not apply to our business,” he says.
He points to the typical enterprise-class firewall. The task of creating complex firewall rules, as well as maintaining and monitoring logs to check for security violations or breaches, are all too time-consuming for a one- or two-person staff.
As a result, Laskowski buys low-cost, turnkey security solutions, such as those from McAfee, Symantec and GFi.
As marketers of software products, Aegis's employees include software developers who want to do what they please on the network, says Laskowski. That means they often need network administrator privileges so that they can download and install a wide range of software, which is usually prohibited in most larger enterprise environments.
Laskowski handles this conflict in two ways. One is to regulate inbound and outbound email, he says. He also restricts access to internal and external resources, and relies on effective monitoring to see what's going on and respond as necessary.In addition, he limits developer access to some websites via proxy servers.
“We restrict access to certain websites that are bandwidth hogs or virus-laden, that sort of thing,” he says.
Like Nanette Lepore's Cruz, Laskowski has also dealt with employee resistance to migrating from an unstructured environment to a secured infrastructure. The key here, he says, is working with the management of business units to develop new procedures and regulations.
Employees want to do what they've always done when it comes to accessing resources on the network, he says. “But if you work with management, securing the company is doable,” he says.
To meet regulatory requirements mandated by the Health Information Privacy and Portability Act (HIPAA), Acuity, a VAR, steered George Betancourt, the IT and lead security official at Payformance Corp., to take a look at PGP's disk encryption products to protect patients' private data stored on laptops.
“We don't want to take a risk of losing patient data. With PGP's disk encryption software in place, should anyone on the staff lose a laptop, we don't have to worry about it,” Betancourt says.
Acuity has also been instrumental in Payformance deploying several other security products, Betancourt says. These include a VPN for remote access and RSA's SecureID tokens for two-factor authentication into the VPN. – Jim Carr