For many small and midsize businesses, neglecting IT security is a thing of the past, reports Angela Moscaritolo.
For the four-person IT staff at Arc Greater Twin Cities, information security is just one element of the job, but the nonprofit would be nothing without it.
“Our only real currency in the world is our reputation, and if you are breached, your reputation goes down the tank and that’s your business,” says Paul Harder, director of technology at Saint Paul, Minn.-area Arc, which provides support services to individuals with intellectual and developmental disabilities. “Our primary concern is the protection of data.”
And a lot of sensitive data there is. For starters, there’s credit card information. As a self-funded nonprofit with about 430 employees, much of the organization’s income comes from its retail business – a line of thrift stores and donation centers – called Arc’s Value Village – where shoppers can buy anything from a pair of vintage high heels to a solid brass beer stein. And then there’s an ever-growing trove of personal data – including medical diagnoses, prescription information and financial records for many of the 6,300 individuals Arc serves.
From an information security perspective, Arc is no different than any other business. Organizations of all types and sizes must be on high alert for malware and phishing attacks and counter additional data leakage threats posed by social media, mobile devices and malicious insiders. For small and midsize businesses (SMBs) – organizations with fewer than 500 employees – many of those challenges are compounded by tight budgets, thin workforces and a lack of in-house information security expertise.
But despite the daunting challenges they face, SMBs are beginning to outgrow their old reputation of neglecting IT security. While these entities in the past often failed to implement the most basic safeguards, they are now becoming focused on protecting sensitive data, according to a global SMB information protection survey released last June by Symantec.
The survey of 2,152 SMB executives and IT decision-makers in 28 countries found that 74 percent of respondents are “somewhat or extremely” concerned about losing electronic information.
Industry rules and regulations, such as those applying to health care, financial services and power companies, have forced many SMBs to build up their security ecosystems, says Michelle Dickman (left), CEO of TriGeo, a security solutions provider that caters to the small and midsize sector. In the retail vertical, the Payment Card Industry Data Security Standard (PCI DSS), which applies to any merchant that processes, stores or transmits credit card information, has prompted some SMBs to address security.
Even so, PCI DSS compliance rates among SMBs remain low, according to a survey released in January by the National Retail Federation, a trade association representing 1.6 million U.S. companies. In the survey of 651 SMBs, just 49 percent of respondents said they have completed a PCI DSS self-assessment, even though 74 percent were aware of the requirements.
Moreover, those outside the regulated industries – such as manufacturing firms – have been even slower to embrace security, Dickman says.
“These folks say, ‘My management won’t cough up money until we have a reason – a breach or regulation requiring it,’” says Dickman.
Gaining upper-level support for security often proves difficult for those in regulated industries as well, Dickman says. IT professionals know that PCI DSS and other rules mandate only a minimum level of security, but their bosses often choose to allocate funds for the least expensive product that ensures compliance. While this trend has held steady for years, it is, to the delight of security advocates, beginning to wane as some higher-ups realize the importance of going above and beyond what is required.
Frequent headlines trumpeting the fact that cybercrooks are draining small-business bank accounts are certainly increasing awareness that the bad guys are targeting everyone, regardless of size, Dickman says.
Back in Minnesota, Arc Greater Twin Cities is an example of one of those entities going above and beyond what is mandated. After coming on board in 1999 to head up the IT department, Harder says his team first built up the network infrastructure and then started looking at ways to protect it.
“This might have been the right or the wrong way, but it was the only way we could go because of the financial constraints we were under,” he says.
Fast forward to today, and Arc still has a tight budget. To remain in good standing as a partner of the United Way, no less than 70 percent of a nonprofit’s budget must go toward the people it serves, leaving just 30 percent for all administrative needs. But that hasn’t prevented the organization from becoming PCI DSS compliant, Harder says.
Finding the funding to accomplish all of their security initiatives, including PCI, is difficult, Harder says. The organization can only take on one major security project a year, so planning is imperative. Plus, Harder calls himself a “ruthless negotiator” with vendors and often stresses that because Arc is a charity, donations could have tax advantages for them.
“A dedicated organization with a dedicated professional technologist can do wonders with little money,” he says. “The most difficult part for any nonprofit is to sell the concepts to their leadership.” To overcome that challenge, Harder says to “educate, educate, educate.”Also, because Arc maintains some extremely sensitive personal health information – such as medical diagnosis and prescription data – the organization has adopted protections mandated by the Health Insurance Portability and Accountability Act (HIPAA), a set of guidelines for working with patient health data. HIPAA typically applies to health care organizations, including counselors, therapists and other providers that transmit electronic billing information to health insurance companies.
“We are not a traditional HIPAA-covered organization,” Harder says. “But we treat our organization as if HIPAA were required.”
Yet Harder admits that his organization’s security posture was not always this strong. Several years ago, the IT team deployed a host of layered defenses, but had no way of knowing what was going on inside the network, Harder says. If something “weird” was going on, they had to manually figure out what the problem was. So, Harder began looking for ways to automatically discover anomalous behavior within the traffic.
The company purchased a security information and event management (SIEM) product from TriGeo for around $30,000, an investment that Harder believes was well worth the price. “It allowed us to automate what we were attempting to do manually and, to be honest, what we weren’t doing well from a management perspective,” he says.
SIEM technologies are used to store and analyze log data generated by the various security products running on an organization’s network. In Arc’s case, the SIEM solution provides real-time visibility and allows the IT team to easily investigate suspicious behavior and policy violations.
In fact, soon after deploying the SIEM, Harder was able to use intelligence it provided to stop an attack. While walking past the data center where the SIEM console was up on a monitor, Harder noticed a huge amount of port scans coming from a single IP address. Cybercriminals often employ a technique called “port scanning” to discover weak access points that will provide an entryway into a computer.
Researching the attacking IP address, Harder discovered it belonged to a legitimate company in Oregon. One of that company’s machines had been compromised and was being used to probe computers at Arc. Harder called the company, and within five minutes after the phone call, the port scans stopped.
Another time, Harder caught a malicious insider attempting to copy Social Security numbers to a flash drive, he says. Arc employees are allowed to use external memory devices, but company policy prohibits personal information from being taken offsite.
The SIEM product detected the insertion of the USB memory device and alerted Arc’s IT team that the device was plugged in. A separate endpoint security product allowed the team to see what type of data was loaded on the device. Needless to say, the perpetrator didn’t even make it out the door before being caught.
“People use USB devices all the time on our network,” he says “If someone’s just listening to music, we don’t discourage that, but we always take a look to see if there is any data flow.”
“Point solutions today are pointless…”
– Dave Meizlik, director of product marketing and communications at Websense
From malicious insiders to external cyberthieves, SMBs today are facing many of the same threats as their enterprise counterparts. The good news, though, is that many understand the importance of protecting sensitive information and so IT security endeavors are becoming a top priority.
And, with the economy showing signs of improvement, SMB IT budgets are expected to grow this year, according to a survey, released in February by research firm Gartner, of more than 1,000 respondents in 11 countries. SMBs are expected to spend $3.6 trillion on IT investments this year, a five percent increase compared to 2010, the survey found.
Some security technology investments were stalled due to the recession, so many SMBs will need to upgrade firewalls, virtual private network (VPN) products and other security appliances this year, according to Gartner.
As for software, security is the top priority for SMBs in 2011, with many organizations investing in updated anti-virus, anti-spyware, email, URL filtering and identity and access management products. Due to cost constraints, many SMBs are demanding multifunction security software solutions.
“Point solutions today are pointless,” says Dave Meizlik (right), director of product marketing and communications at web security firm Websense. “They often require a physical box for every type of security, and you have to replicate that infrastructure at every branch office.”
Some SMBs, meanwhile, are opting for cloud or managed security service provider (MSSP) models, in which organizations don’t need to maintain technology on their own servers and can outsource the responsibility, experts say. Such options could save businesses money and provide a high level of security, says Lawrence Pingree, research director of data center transformation and security at Gartner.
In addition to product and service investments, experts say that user education is one of the most important steps toward strengthening security. If organizations haven’t already done so, they must develop security guidelines and educate employees about best practices, such as regularly changing passwords and being cautious when downloading mobile applications to their smartphones.
Staying up-to-date about threats and ways to stop them is also key, Harder says. “You have to educate yourself of the potential capabilities of different security products and understand what value it could bring to your organization, and educate the people above you,” he says.