Incident Response, TDR

Budget issues: The SMB dilemma

Small and midsized businesses are not exempt from cyber attack, reports James Hale.

Companies with fewer than 500 employees are used to running lean operations. And, in most sectors, operations have only gotten leaner since 2008. Chances are, online security has not been a leading area of new investment, underpinned by the justification that digital criminals are only looking for the big score.

That kind of thinking can have its own implications for the bottom line, according to industry observers, to say nothing of seriously negative impacts on the reputation of small- and midsized businesses (SMBs) and their relationship with customers whose information has been compromised.

“The days of SMBs flying under the radar are over,” says Steve Schlarman, GRC strategist with RSA, the security division of Hopkinton, Mass.-based EMC.

“In this environment, you have to assume you are being attacked,” says Ashley Stephenson, CEO of Corero Network Security in Hudson, Mass. “SMBs could be under attack without knowing it, or that slow response time on their website might mean that they are being used for a reflective attack on someone else.”

He says that security is still nothing more than an afterthought for too many companies. “A lot of companies are just not ready,” he says. “It's not an issue, unless you know you've been attacked.”

And then, for many it's too late – extra costs to restore service are incurred, and customer trust is lost.

Many SMBs never recover, says Jeff Davis, vice president of engineering at Quarri Technologies in Austin, Texas, and the damage is not limited to companies which have never invested in security, either. Some of those struggling to recover, or still blithely doing business in denial, made initial investments in security technology, but have not continued to invest to stay current.

“SMBs are losing ground [to attackers] because every year there is more stuff in the cloud and more types of devices accessing their networks,” says Davis.

Andy Hubbard (right), senior security consultant at Chicago's Neohapsis, which focuses on mobile and cloud security services, says a ‘set-it-and-forget-it' attitude pervades a lot of smaller organizations. “The majority of the IT spend is on equipment,” he says. “Meanwhile, we see a lot of 10-year-old policies and procedures still in place, and an overall lack of security management.”

There is consensus that the worst mistakes that can be made are not understanding the full extent of digital assets, which might include anything from critical intellectual property to human resource records, and not knowing exactly where things reside on a network.

“Someone in every organization needs to know the overall landscape, determine what's at risk and develop a strategy to protect it,” says Davis.

TIPS FOR SMBs: Batten down

When it comes to assuring a security profile for SMBs, Kristine Briggs, Neohapsis' vice president of operations, preaches four key principles:

  1. Understand your risk tolerance and create a written security strategy;
  2. Create a great security team and focus on continuous improvement;
  3. Develop an easy-to-understand risk management framework and share it throughout your company; and
  4. Determine the essential elements within your security budget.

“The last one depends on what kind of company you are,” she says. “But there are always some ‘must haves' like spam control, network segmentation, anti-spyware, and overall security awareness.”

He and others recommend making a member of the senior management team responsible, and ensuring there is funding to put safeguards in place.

“Fundamental change occurs when your IT people report to the CFO,” says Eric Chiu, president and co-founder of Mountain View, Calif.-based HyTrust. He says that IT departments are adept at looking for faster and cheaper ways of getting a job done, something that resonates when the issue of limited resources rules strategic planning.

“That mindset has to change,” says Chiu, adding that security does not need to be costly if companies implement strategies to safeguard essential data. Frequently, solutions can be scaled to suit the size and budget of organizations, and data and systems can be prioritized based on how critical they are to the company and its stakeholders.

“You need to take a holistic approach,” he says. “Look at everything, assume that an attacker is already on your network and monitor all your activity.”

As he considers the prescriptive approach for SMBs, “holistic” is the word that RSA's Schlarman also applies. “Understanding how data gets handled is the key,” he says. “It's easier to start with the physical network and its entry points. That makes it easier to think about the virtual realm.”

He adds that thinking like the enemy does not hurt, either, recommending that organizations consider the worst things that could happen and ask questions about where the security holes are.

“The bad guys are good at identifying those holes, so if you're only focused on keeping the hordes of barbarians from the front door, the ninjas can still be crawling in your windows.”

It sounds like the ultimate no-brainer, says Kristine Briggs, Neohapsis' vice president of operations, “but writing down everything concerning your security risks and your potential response helps. Write it down, and really discuss it seriously. If senior management and other parts of your company are on a different page, it's a problem.”

“I don't think companies should ever contract out their security strategy,” she says. “And, regardless of what you decide to outsource, you have to really apply due diligence. Even with the largest vendors, you can't make assumptions that you're being protected adequately.”

Eric Chiu agrees. “Fundamentally, you should keep security as an internal function,” he says. “Outsourcing will always be your least-cost option, but you lose your oversight. A lot of suppliers will have no idea if you've been attacked.”

And, no matter how good they are, vendors can't think of everything, says Schlarman. “Someone has to connect the dots among all the assets in your network, and that should be you.”

Only those actually running a business can grasp the true nature of what could be at risk if a DDoS or other type of attack is successful. What would the cost be in terms of reputation, service interruption or fraud? Schlarman says that while SMBs can outsource some things, someone inside the organization — someone with fiscal responsibility — must have oversight.

“If you do outsource, you have to really pay attention to your service level agreements,” he says. “Vendors can't, and won't think of everything. When the cost of failure is this high, you can't afford to give up accountability.”

Well-run SMBs know how to balance control and outsourcing, concludes Corero's Stephenson. “You have to know your own business and have total oversight. Only after you're in that position can you really assess your risks, understand the threats and be proactive about your security.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.