Tech for Small Business
Solve a Problem Technology & your Business Find a Service Provider How to Buy About CSBEF Register Login

Home

by Amy Hengst

Information security doesn’t have to be a burden that diverts a company’s resources away from its core business. The best security strategy involves integrating protection into company policies, systems, and plans rather than patching products into the network as an afterthought.

Businesses are often talked into buying more than they need, said Adam Hils, a Principal Analyst for Small Business Security at Gartner Research. Companies should start by analyzing their risks before looking at products and services, he said.

“There’s no cookie-cutter solution,� he said. “What companies need depends on their experience, their need for control, and their sensitivity to the costs.�

Security is about risk management, according to Hils. Each company faces a unique set of risks based on the kinds of business they perform online, how confidential their information needs to be, and how high-profile their clients are. To determine what security they need, businesses should consider how much they stand to lose if they are attacked, he said.

Mitigating the Risks

Most companies are familiar with some of the threats they face from a security breach such as lost productivity and revenue. But that's just the tip of the iceberg. Other implications can include legal fees, bad press, and the cost of patching on new security fixes.

Small businesses are targeted by hackers as much as enterprise-level firms are, yet the cost to the smaller organization can be much greater, said Rand Wacker. a senior group product manager at IronPort Systems, a firm based in San Bruno, Calif. that provides email and web security solutions.

A recent study by Infonetics, a market research firm specializing in networking and telecommunications based in Campbell, Calif., found that large businesses that lost vital information from a hack suffered more in lost productivity time than in revenue, and they were better able to absorb the costs of fixing such a problem. The smaller businesses, in contrast, took an equal hit in terms of productivity and revenue.

“Small businesses competing in the same verticals as enterprises are under the same business pressures — they just have to accomplish something with no resources,â€? said Hils. “Buying security becomes a huge deal for them.â€?

Hils recommends that small businesses hire a security consultant who can spend a day or two assessing the organization’s risks, writing a policy for employees, and determining what kinds of products or services the company should purchase. (For a list of CSBEF-certified consultants across California, see our service provider listings.)

It might sound expensive to hire a consultant up front, but having this expert guidance can save businesses from paying higher subscription fees for solutions later on, Hils advised. “Spend now or spend later,� he said.

Companies can easily be overwhelmed by the options available and end up making uninformed decisions, Hils said.

This can happen even when a company does careful research. Hils warns that much of the information available online in white papers or journals is written by vendors who have a stake in sales. Sifting through the sales pitches can be a challenge and leave readers with erroneous information.

Protecting the Network Perimeter

Most companies will start their security strategy by thinking about how to protect the entrance to the network using the following kinds of solutions.

  • Firewalls: Like a guard at a city gate, a firewall scans the traffic coming into the network and blocks certain threats, for example, traffic coming from suspect sources. Since email and Internet pathways have to be left open, firewalls alone aren’t enough protection.
  • Anti-virus software: Most anti-virus software consists of a list of threats that vendors already know about. The software scans incoming traffic and blocks anything that matches the list of threats. If an unknown virus comes into the network, most anti-virus solutions won’t be able to block it. So anti-virus is a key protection but also isn’t enough on its own.
  • Spam filters: Spam (unwanted email) in itself isn't a security issue, but the problem is that these unwanted emails sometimes contain attachments with viruses.
  • Intrusion detection or prevention services: Intrusion detection services try to accomplish more than firewalls and anti-virus scanners because they use behavioral methods for detecting threats. This means that they analyze the composition and actions of existing threats and block other things that seem similar. In effect, these systems learn as they go. However, there’s some debate about how effective they are.

When possible, businesses should purchase a solution that integrates these functions, said Hils. Gartner predicts that by 2010, 90 percent of small businesses will be using security products that do more than just one thing.

How to Implement Perimeter Security
Companies have a few options for approaching these perimeter solutions, said John Vechi, a director of product marketing for network security at McAfee.

  • Subscribe to an online service: An online service filters email before it enters the company's network but provides fewer options for customizing the configurations, less insight into the traffic, and less control than an in-house solution.
  • Use a managed service: A vendor can be hired to install, configure, and maintain a dedicated security appliance in house. The appliance would be a box that sits alongside the company's servers and works with them to filter the traffic. For companies concerned about trusting an online third-party vendor with their information and who don’t want the hassle of doing it themselves, a managed solution might be most appropriate.
  • Do it yourself: Companies can also hire a part-time or full-time computer professional who can perform the research, installation, and maintenance in house. For larger businesses, this is the way to go, because it provides the most control.

Vechi suggested that companies choose offerings from a single vendor or perhaps two. Some products are also available as managed services, he said. “Deploy one total solution for the desktop and the perimeter,� he said.

The vendors agree that security should be affordable and easy to use for companies that have little experience in technology. “If it’s not easy to use, it’s not worth your time,� said Kevin Murray, a product manager at Symantec Corporation, based in Silicon Valley.

The range of vendors offering gateway tools is increasing. In addition to the big security vendors like McAfee and Symantec, many Internet service providers offer their own packages on a subscription basis. Hils said that some retailers may begin offering these services.

Just a few weeks ago, Google also announced a new line of security services for businesses , with their basic package starting at a record low price of $3 per user per year. Gartner predicts that these new low-cost offerings may drive down prices in the rest of the market.

Email and Internet Usage Policies

Companies also need to protect against threats from within their own walls in the form of employees who aren’t careful enough.

Companies can mitigate these threats by writing a simple email and Internet use security policy that describes how often administrators should install updates, what kinds of Internet access is restricted, and what types of emails employees should avoid opening. All employees should read, sign, and retain copies of the policy. Having a policy will immediately impact user behavior, said Murray, but enforcing the rules is also key.

Hils said that companies should write a policy early on and revise it as the network grows and changes. He recommends involving the manager responsible for the company’s finances, such as a CFO, who will also be familiar with human resources policies.

Remote Security

Contractors who work outside the company’s premises face different threats than internal employees. Small companies must remain agile, Hils said, so they often rely on contract workers.

Wi-Fi hotspots such as those in coffee shops or libraries are especially dangerous for remote workers. Other hotspot users can intercept information being sent and capture company passwords or email.

Companies can protect that information by enabling a virtual private network on their server. When contractors log in to the VPN, the information they send will be concealed from public view.

Companies should also protect their USB drives, Hils said. A malware infection on one computer can spread to another, along with other information transferred on a USB drive. Some vendors sell USB port blocking software, which prevents computers from accepting USB drives.

For More Information

About the Author

Amy Hengst is a freelance writer in the San Francisco Bay Area who writes about information technology and security. Her articles have been featured in VoIP News, DailyWireless, Inside CRM, HR World, and other publications. She also maintains the daily blog at IT Security.
Registered Login
Username
Password
Create NEW account
Request new password
 

  Join the Community

Make the most of the CSBEF
portal by registering. Get access to our complete resource libraries, rate articles, and referrals and more.
 
Events

Check out small business
events and meetings throughout the state.
 
Tech Talk/Online Forums

1 postings
What’s new and useful in the world of technology,
software, and the web.
This site is made possible by a grant from the AT&T Foundation.
 
Copyright 2008 California Small Business Education Foundation. All Rights Reserved. This site is made possible by a grant from the AT&T Foundation
Managed by NetServe Systems™ | Powered by DellT