While most large enterprises have embraced IT security as a part of the corporate culture, many small and medium-size enterprises (SMEs) have been as unguarded as small-town residents who keep their doors and windows unlocked. Such a lack of caution could potentially cripple SMEs, said Todd Tucker, Director of Security Architecture and Strategy at PentaSafe Security Technologies. Consultants, however, may be in the perfect position to help guide SMEs to better security practices. According to Tucker, small organizations generally have:
- A relaxed culture and a lack of formal security policies.
- A small IT staff with no security training.
- Scarce investments in security technologies.
- A lack of either business continuity or disaster plans.
As these organizations jump on the security bandwagon, his recommendations may help you be the hero for your SME clients. He suggested four remedies to cure the special challenges and bring people, policy, and technology together in the SME realm:
- Assign security tasks.
- Invest in more than bare-bones security technologies.
- Prepare for disaster.
- Implement a formal security policy and test it.
Here’s a look at Tucker’s advice on how consultants can help SMEs educate their IT staff and beef up their technological resources.
First of two parts
This series discusses the special security challenges of small to medium-size enterprises (SMEs). Next week, we'll discuss preparing SMEs for disasters and creating formal security policies.
Assign security tasks
PentaSafe, headquartered in Houston, promotes a concept called Enterprise Security Infrastructure, which combines people, policies, and technology to provide for security. Often, smaller companies are lacking in one or all of these areas.
"These organizations often do not have a security policy, and there's no direction from senior management on what's expected for security," Tucker said. As a result, the task of deciding how securely to implement or maintain technology often falls to IT administrators.
While small and midsize companies are always going to consider security outsourcing an option, Tucker argues against it, suggesting that SMEs shouldn’t entrust strategic components to outsourcers.
“You shouldn't be leaving that up to somebody external to your company," he said. "You need to understand yourself how secure you are.”
Instead, Tucker recommends that SMEs specifically task members of their IT staff with implementing security, and provide the necessary education and tools to enable them to properly protect all assets.
"I understand that they need to stay lean and can't go out and hire a staff of security officers (or even a lot of consulting time), so it's tough for them to improve security," he said. "But there are some measures that they can take."
Whether the companies choose consulting, books, or external or computer-based training, they should educate both their employees and IT personnel. Tucker recommends that IT professionals first focus their studies on sources that detail vulnerabilities specific to their assets—such as the buffer overflow vulnerability in Windows—and how to correct them.
Second, he said they should learn to properly configure their security devices.
"I've seen a lot of small shops that have implemented a firewall, but because they didn't have any specialized security talent, they didn't configure it properly," he said. "As a result, they left themselves more exposed than they should have been."
Invest in more than bare-bones security technologies
While SMEs will typically invest in basic security like firewalls and antivirus software, they often don't implement more complex tools, Tucker said. As a consultant, you may be able to capitalize on your experience with more advanced security options.
Intrusion detection, for example, is a vital component to a security program, especially if you have a strong Web presence or are depending on the Web for your business, Tucker said.
"It's like having a storefront with a set of glass doors where anybody can walk in," he said. "Most businesses would have a security device protecting that, whether it is cameras monitoring who's coming in, or simply an alarm system. The same thing goes for any e-business."
It's also important that SMEs have vulnerability assessment tools, he said. "There are constantly new vulnerabilities, and staying on top of those without the right tools is almost impossible, even in a small shop."
Don't knock on my door
In 2000, Gartner named Internet Security Systems and Cisco Systems as top dogs in the intrusion detection market. What intrusion detection program do you recommend to your clients and why?