For SMBs: Good Management Can Minimize Risky Security Exposure

Posted by Geraldine Hunt on Thu, Jul 9th, 2015

Small and medium-sized businesses (SMBs) have the same kind of tantalizing data as their [email security]  larger cousins. There are plenty of attackers looking for credit card info and email addresses that can be used for spearphishing (targeted phishing) and insider threats can happen in any sized company. 

But SMBs are different in many ways. Enterprises have some financial cushion. SMBs run lean, so large unexpected fluctuations in revenue, expenses, and cash flow can topple a firm. In 2010, the Gartner Group said that “major” data loss caused the immediate collapse of 43 percent of the SMBs experiencing it. What is more, 51 percent more failed within two years. Let’s hope that these figures have improved since 2010.

We see daily reports of a worrisome increase in cybercriminal attacks on SMBs.  

Some of the why reasons why  :

Automated attacks look for vulnerabilities. SMBs tend to be attacked more often because they usually lack the sophisticated security defenses and auditing techniques used by enterprises.Enterprises have the resources to pursue intruders and follow up with prosecution. Attackers know that SMBs may not.An SMB can serve as a vendor for an enterprise that is a prime hacker target, such as a bank, defense contractor, or government organization. Smaller businesses can often serve as a backdoor into the data banks of other more well protected enterprise”. The SMB may maintain some of the information the attacker wants, or it may have online access to the target enterprise. In any case, the SMB is now in the spotlight. An example is the Target  breach, where the break-in started with access to a HVAC vendor.

The good news

After reading those frightening facts, here is the good news. Most SMBs already have the policy and procedure on which to base IT security. The key is to extend existing compliance, accounting, and business controls to the IT sphere. These controls are embodied in a set of “best practices” that vary by  industry. But the concepts are the same for all businesses. (This article will not consider specific industry compliance rules.)

Some best practices

The most important precept is separation of duties (also called segregation of duties). This creates a system of checks and balances. As SANS explains, “It restricts the amount of power held by any one individual. It puts a barrier in place to prevent fraud that may be perpetrated by one individual.” 

For example, you would not allow a purchaser to sign checks to vendors, would you? Translated to the IT realm, here are some examples:

Assure that software developers do not have access to production systems.
Provide contract programmmers or technicians access only to the systems they are working on.

Since SMBs have limited personnel, separation of duties really means that no important business or IT function should be the responsibility of a single person. At a minimum, supervisor or management approval and/or oversight should be exercised. An example is limiting administrative privileges for server access by requiring a manager to enter half the password and the IT support person to enter the rest.

What about the rules?

Closely related is the rule of least privilege, sometimes called the “need to know”. Authorize an employee the least set of privileges necessary to finish the task. For example, only a manager and a single IT support person should be authorized to review access logs; other employees do not need to know the sensitive information contained in the logs.

Next are the legal concepts of ‘due care’ and ‘due diligence’. Management should exercise “due care” to maintain a minimum level of protection according to the best industry practices. “Due diligence” is its twin. As SANS puts it, due diligence “is essentially the maintenance program that supports due care, and has been described as a protection plan to prevent abuse, fraud and the means to detect them.” Both of these concepts are crucial in legally protecting a business. A company can be found negligent and held liable if it does not follow best industry practices.

Translating it to IT

Basically, best business practices should be utilized in all areas of IT:

Physical access control – Is your server on someone’s desk or in an unlocked closet? Your server is the lifeblood of your business. Lock it in a cabinet or closet (with adequate ventilation) and control the keys.
Conduct background checks on all new hires, IT or otherwise.
Job rotation – This technique requires employers to cross train their employees for redundancy and backup. A side benefit: it provides an audit function that can uncover employee theft, embezzlement, and insider cyber-attacks. In fact, some organizations have a mandatory vacation policy for the same purpose.
Document disposal and destruction – Access logs, program printouts, and other sensitive data should be treated as any other confidential (or higher level) documents.

Does IT know that it is part of the business?

In summary,  IT is a part of your business, and should be controlled as any other department. But does IT know that? Does it treat itself as part of the business? Especially in SMBs, the manager authorizing IT expenditures may or may not be up-to-speed in IT matters. It is IT’s responsibility to explain the business reasons underlying requests for software, hardware, or modifications. In fact, all IT decisions must be considered in the context of business policy, procedure, and objectives. 

So SMBs can manage IT just like the big guys using best practices. In an upcoming article, we will look at specific security-related considerations for SMBs.

For now you may be interested in our new server deployment checklist which outlines the essential elements of  securely provisioning servers.