Hardly a month goes by without at least one news story about a major security breach. Usually it involves theft of confidential customer information from a well-known bank, retail chain, government agency or corporation, with millions of dollars spent addressing the attack and millions more in lost productivity, damaged reputation and fleeing customers.
If you work for a small or medium-size business, you might feel that all those headlines have little to do with you. After all, hackers mainly target the big guys, right? They probably don’t even know your company exists.
Unfortunately, being small and considered “cyber safe” is both inaccurate and dangerous. While it’s true that smaller organizations make basic efforts to secure their systems, many don’t worry too much about the evolving threat landscape. In actuality, the number of cyber attacks on small companies is growing rapidly.
Fortunately, antivirus software is a low-cost means of protecting systems and information from computer viruses and other forms of malware. And antispam software aims to prevent unsolicited and unwanted e-mail from reaching end users. Both are available in a number of solutions and should be part of an effective multilayered security approach.
Don’t be under the impression that small means safe. “SMBs often think they’re under the radar,” says Jonathan Penn, vice president and principal analyst of technology strategy/security for Forrester Research. “In fact, they’re attractive targets because they too possess customer data that can be exploited for financial gain.
“Many SMBs also use their computers to connect to payment, insurance, supply chain and state or federal government systems, making them attractive vehicles for use in staged attacks on these larger environments,” he says. “Hackers know they most likely have less security technology in place than their larger counterparts.”
“Attacks are not always targeted,” adds Kevin Haley, director of product management for Symantec Security Technology and Response. “You see a lot of massive opportunistic attacks where a hacker sprays out as much malware as he can and sees who falls into his net. Small businesses with less security are often victims of these attacks.”
Penn warns that small businesses shouldn’t assume they have not already been a victim. “Attacks often happen today without the victim’s knowledge. You don’t see systems shutting down and messages flying back and forth as you used to,” he says. “Instead, you may find out about data theft six months after it happens when one of your partners notices it and tells you.”
Small businesses risk damaging relationships with large partners if they’re involved in staged attacks. Furthermore, many healthcare and financial services companies, as well as businesses that conduct credit card transactions, have the same compliance issues to contend with as their larger counterparts, risking fines if their security is not up to par.
Threats have come from several new fronts in the past few years. Small businesses that haven’t kept up ignore them at their peril.
One of the most devastating attacks can actually empty out a small business’s bank account: Hackers increasingly use web page altering techniques and Trojan horse–based keyloggers to get hold of a business user’s account login information, which they use to transfer a business’s funds to a different account.
Small businesses are attractive targets because they have more money in their accounts than do individual users, and fewer controls in place than larger organizations. Such an attack can be ruinous for the business victim, as banks are not required to cover small business losses as they do consumer losses.
A 2010 Guardian Analytics/Ponemon survey of 500 small and medium-size business respondents found that more than half (55 percent) had been victims of fraud in the past 12 months; 58 percent of those attacks involved online banking.
In 80 percent of the attacks, banks failed to detect fraud prior to an actual transaction, and in 87 percent of the fraud cases they were unable to recover the funds. Nearly 57 percent of businesses involved were not fully compensated by the banks for their losses, and 26 percent did not receive any compensation at all.
Many of these attacks arise from “zero day” malware exploits that are not detected by typical signature-based antivirus software. This is because this type of malware has been introduced so recently.
Other new threats come from the increasing use of instant messaging, chat, social media and cloud applications in the workplace. These can be used either for work purposes or personal reasons.
In addition, the heavy use of streaming video from YouTube or gaming can take up company bandwidth and reduce productivity for users doing real work. And, of course, liability issues from lawsuits can result from employee use of pornographic and other inappropriate sites.
Other threats come from the increasing consumerization of IT — employees using their personal iPhones, iPads, notebooks and other devices at work. This leads to a less contained security environment than in the past when work and personal computing were separate.
The key to staying secure for small businesses is a combination of policy and a multilayered defense that keeps up with the most current threats, security technologies and updates. Many large companies have security policies in place, but smaller organizations often do not; if they do, most don’t inspect and revise them very often.
A sound security policy does not have to be complex. These are the questions it should answer:
“Small businesses should think hard about the people and systems that do their financial transactions online,” says Haley. “They may want to consider reserving specific computers for those transactions alone and not allow any use of e-mail, the web or other applications on them. Financial people tend to be conservative and understand precautions such as these.”
Most company networks today have network firewalls, but traditional perimeter firewalls are no longer considered sufficient for protecting any business environment. Most of today’s exploits are application- or web-based and get past traditional perimeter firewall controls pretty easily.
With the expanding use of mobile devices and USB drives (as well as connections with partners, suppliers and service providers), the idea of a company network perimeter is rather outdated in any case. Today, protection must be applied in a layered fashion that covers every endpoint and most servers, in addition to the Internet connection.
Endpoint security for desktop PCs, notebooks and mobile devices today is about more than antivirus and antispam. Current endpoint security products from market leaders such as McAfee, Symantec and Trend Micro include antivirus and antispam along with personal firewalls, antispyware plus intrusion-prevention functions to detect and stop threats that attempt to enter the network through an endpoint.
Antivirus software stops known viruses and worms, while antispyware stops small pieces of software that attempt to collect information about a user’s Internet habits. Personal firewalls and intrusion prevention stop hackers from viewing personal folders and files.
Essential requirements for any endpoint security strategy include automated network software updates. These serve to address newly discovered threats and protection from zero-day attacks, which come at an increasing pace today.
Look for endpoint protection solutions that use newer techniques for detecting zero-day exploits, such as heuristics, behavior-based detection and the ability to identify subsets of malware signatures that have been slightly altered.
Antispam is another function needed in the security arsenal. Spam, or unsolicited e-mail, is not just a productivity problem. A large percentage of security issues arise from threats contained in spam.
For example, phishing is a form of spam that impersonates e-mail from a trusted site such as a bank. It is designed to use social engineering techniques to convince users to divulge confidential login information or click on a link that then downloads malware to the user’s PC.
Once a system is infected it can become part of a botnet, sending out lots of spam or staging attacks on larger target organizations. Mail service providers and server-based mail systems often provide some spam protection, but it’s frequently not 100 percent effective, which is why it’s advisable to have endpoint spam protection as well.
Servers, particularly e-mail servers, should also be protected with server-based security. This often includes many of the same functions as endpoint protection and can offer specialized security software that may target specific server applications such as databases and e-mail.
Endpoint and server protection can be very effective, but they’re not enough. The best strategy is to employ another protection layer that stops attacks from entering your network through the company Internet gateway.
When considering a solution for gateway protection, keep in mind that there are lots of targeted gateway security solutions that provide the same robust security as enterprise products, but are geared toward smaller budgets, simple deployment and ease of use. SonicWALL and WatchGuard are two examples of gateway security manufacturers that cater to the SMB market.
Unified threat management can be one of the most effective gateway security solutions for SMBs. This product often includes network firewall, intrusion prevention, antispam and antivirus protection in a single, centrally managed appliance configuration. These are sold as both hardware appliances and virtual machines that can be installed on a traditional server.
UTM appliances entered the marketplace in 2004 and were developed to fill this vital security need. A comprehensive solution, the UTM device packs multiple security and protection functions into a single form factor.
UTMs are much easier on the budget than purchasing each of these functions separately, and they come with easy-to-use web-based management software that can get you up and running in minutes. If an organization has several locations, the included web-based management software will allow configuration and monitoring of several UTM devices from one web browser console.
Many of these devices can be configured to detect and stop threats traversing the internal network as well. They have the further advantage of more frequent security updates than do typical endpoint protection solutions — often, multiple times daily or even hourly depending on how they’re configured, so they can catch new attacks even before your endpoint solutions are aware of them.