Information technology (“IT”) security is sometimes thought of as a problem only for the largest companies, whose data protection lapses expose customer information and result in front-page coverage.
Small and mid-sized businesses,of course, are just as susceptible to malware and network intruder attacks. In some cases, small companies confront a greater challenge. While large businesses and government agencies employ chief information security officers and IT security staffs, smaller firms usually don’t. This places the small business owner in a DIY situation.
Small businesses face many security vulnerabilities, but the SANS Institute, a think tank that focuses on IT training and certification, cites two pressing problems: unpatched software running on PCs and vulnerable web-based applications. Email attacks, dubbed “spear phishing,” specifically target unpatchedvulnerabilities in frequently used products, such as Adobe Acrobat, QuickTime and Microsoft Office.
The second factor, at-risk web applications, account for a sizable chunk of known security gaps. Assaults focused on web applications represent more than 60 percent of the total attack attempts observed on the internet, according to SANs.
Getting a Grip
Making sure current security patches are installed on applications and shoring up web application defense are just two chores small company owners face. They need to consider internal lapses – such as employees divulging intellectual property via e-mail – as well as external threats. In addition, many firms must meet regulatory compliance directives. A retailer handling credit card data must comply with the Payment Card Industry Data Security Standard.
With all of the security issues and products to address them, small businesses may have trouble knowing where to begin.
A vulnerability assessment, also referred to as a risk analysis, comes in handy here. Such an assessment aims to define the scope of an organization’s security issues, thereby identifying likely areas for investment in protection.
The key steps in a vulnerability assessment include taking stock of a company’s IT assets – servers, applications, networks, client-side devices among other gear. With this census in hand, a business can move on to prioritize assets according to their value to the business. The next phase is to zero in on vulnerabilities, starting with the more important assets.
Small businesses seeking to start down the vulnerability assessment track can turn to a few self-help resources. For example, the National Institutes of Standards and Technology (NIST) offers its eScan Security Tool, which was designed for small businesses: https://www.mepcenters.nist.gov/escan/.
The tool prompts users through a series of questions that touch upon such topics as computer virus protection, back-up policies, and the physical security of computer systems. At the end of the questioning, the tool generates a report with suggestions for improving IT security.
NIST also offers a guide to small business information security, which includes a section on identifying and prioritizing information. You can download a copy at http://csrc.nist.gov/publications/drafts/ir-7621/.
Small business owners can also opt to hire an IT consultant to help conduct theassessment. The task of automated vulnerability scanning, for instance, may call for an expert who can interpret the results and distinguish between “false positives” and legitimate concerns.
An company must take care in hiring an outsider. The consultant will learn all about your weaknesses and must be of the highest integrity. Client lists and referrals should provide the evidence. Security certifications, whether vendor-specific (e.g., Cisco Certified Security Professional) or independent (e.g., Certified Information Systems Security Professional), also help guide selection.