Security: On a Budget - ' Multiple Paths to Security '
(
Page 2 of 4 )
Within the overarching strategy
of limiting access, Rapp has
adopted a variety of tactics. He
watches his budget by using
open-source tools wherever he
can, such as the OpenOffice application
suite, in place of Microsoft
Office. He brings in automatic
tools from service providers, such
as Qualys Inc., to run daily vulnerability
assessments and weekly
penetration tests. And he uses a
commercial open-source monitoring
platform from Applied
Watch Technologies LLC for intrusion
detection and prevention.
On the other hand, Rapp finds
himself avoiding some technology
that could help his operations.
For instance, he likely
won't adopt a service-oriented
architecture, though he'd like to.
SOA is designed to make it easy
to share information among systems,
but he worries that its
emphasis on the use of the XML
protocol raises big security questions.
"It's very hard to detect XML
hacking," he says.
Businesses less threatened
than a bank would do well to
learn from Rapp's pragmatic
spending approach, says Gartner
Inc. analyst John Pescatore.
"You've got to focus your security
dollars where they'll make the
biggest impact," he says.
Many free security tools are
available in commercial software
that companies already have
installed, and there are products
designed to help small businesses
in particular. CIOs can
turn to software that manages
security updates across multiple
locations, such as HFNetChck-
Pro from Shavlik Technologies
LLC, or utility security appliances
that combine features such as a
firewall, anti-virus tools, intrusion
detection and network
monitoring, from vendors such
as Fortinet Inc., Cisco Systems
Inc., Juniper Networks Inc. and
SonicWall.
For the small or midsize company
that doesn't want to get
into the security business, outsourcing
is a good way to fill the
void. A managed security provider
can provide round-theclock
services such as network
monitoring and firewall implementation
for perhaps $10,000
a year, much less than it would
cost a small firm to handle such
tasks on its own.
Outsourcing has worked well
for Quinn Millington, chief operating
officer and head of IT at
Acworth, Ga.-based PT Solutions
LLC, which operates physical therapy
offices at 13 locations in two
states. Millington says that as
the three-year old business has
grown, it's become impossible
to run the company on a couple
of computers and e-mail. So he
hired local Atlanta consultants,
Rocket IT, to handle technology,
including the company's security
basics: anti-virus software, spam
control, firewalls and wireless
network security.
Unlike Stonebridge Bank's
Rapp, Millington doesn't worry
much about his security situation—
but then, his needs are less
extreme. He primarily wants to
make sure billing data is kept
safe, that his wireless network
isn't open to snoops in the parking
lot, and that he doesn't provide
a sitting-duck target to "the
goofball who should be in a math
class somewhere but is screwing
around on the Internet."
The goofballs, of course, are
not the main problem anymore—
it's the professional
criminals who are making CIOs
worry. Security technology has
improved in the last few years,
and there are plenty of strategies
companies can pursue. The only
wrong move for a small business
to make is to ignore the threat to
its information security.
Next page: The Confidence Game
1 | 2 | 3 | 4 |
test
Special Reports 
