Security: On a Budget
By CIOinsight | Posted 11-06-2006Security: On a Budget
IT security concerns are vexing for almost every business. But at
small and midsize companies, limited IT staff and resources make it especially
hard to keep on top of the ever-shifting security environment. One thing is
certain: In today's world, no business is too small to be a target.
Next page: Multiple Paths to Security
Next page: The Confidence Game
"Attackers are always looking for the path of least resistance," says Dean
Turner, senior manager for Symantec Corp.'s Security Response Team. "Small and medium businesses shouldn't
think they're immune just because
they're too small. That's
precisely what network attackers
want you to think," Turner says.
Matt Medeiros, CEO of Sonic-
Wall Inc., which makes a variety
of security equipment, says that
in the three years he's been at
the Sunnyvale, Calif-based firm,
attackers have stopped trying to
take down company networks
and instead have shifted to trying
to infiltrate them.
So let's be clear here: Small and
midsize businesses are a target
for malicious hackers, and they
need to be every bit as protected
as their larger business brethren.
But even the biggest firms spend
only about 6 percent of their budgets
on IT security. And smaller
firms may not even earmark a
specific budget line for security
spending, or have a security specialist
on staff.
At Stonebridge, George Rapp,
senior vice president and director
of information systems, is
charged with securing the workings
of the small Internet banking
system with $400 million
in assets. He does this with two
IT employees and a total IT budget
of about $400,000, which
he guesses a large bank could
spend on IT in a day or two.
About 10 percent of that budget,
or $40,000, might go for security
spending at Stonebridge.
With limited funds, Rapp must
guard against the bank's daily
hacker attacks, many without
any warning signs.
Rapp and one of his two IT
employees are certified in security
by SANS Institute, and Stonebridge
Bank's security is good.
Even so, he confesses that, faced
with an ever-multiplying set
of security threats, "we assume
we are going to get broken into
every single day," says Rapp. "I
don't sleep well at night."
While that doesn't actually
happen, Stonebridge uses both
security practices and financial
controls on the back end to
give the bank a double dose of
defense. The main line of defense
is to follow the "principle of
least privilege," that is, to deny
as much access as possible, both
to systems and people. There's
risk in this approach, because it
makes internal and external communications
more complex, and
increases the number of potential
points of system failure. For
instance, if a customer makes a
transaction, the bank does not
send an e-mail from the transaction
server—the transaction
server cannot make outbound
connections. So e-mail messages
are relayed among several internal
systems, until they get to the
system that is allowed to send
data beyond the firewall.
"It's a major pain for me,"
notes Rapp, "but we have to do it,
because we are so small and get
hit so hard."
Multiple Paths to Security
Within the overarching strategy
of limiting access, Rapp has
adopted a variety of tactics. He
watches his budget by using
open-source tools wherever he
can, such as the OpenOffice application
suite, in place of Microsoft
Office. He brings in automatic
tools from service providers, such
as Qualys Inc., to run daily vulnerability
assessments and weekly
penetration tests. And he uses a
commercial open-source monitoring
platform from Applied
Watch Technologies LLC for intrusion
detection and prevention.
On the other hand, Rapp finds
himself avoiding some technology
that could help his operations.
For instance, he likely
won't adopt a service-oriented
architecture, though he'd like to.
SOA is designed to make it easy
to share information among systems,
but he worries that its
emphasis on the use of the XML
protocol raises big security questions.
"It's very hard to detect XML
hacking," he says.
Businesses less threatened
than a bank would do well to
learn from Rapp's pragmatic
spending approach, says Gartner
Inc. analyst John Pescatore.
"You've got to focus your security
dollars where they'll make the
biggest impact," he says.
Many free security tools are
available in commercial software
that companies already have
installed, and there are products
designed to help small businesses
in particular. CIOs can
turn to software that manages
security updates across multiple
locations, such as HFNetChck-
Pro from Shavlik Technologies
LLC, or utility security appliances
that combine features such as a
firewall, anti-virus tools, intrusion
detection and network
monitoring, from vendors such
as Fortinet Inc., Cisco Systems
Inc., Juniper Networks Inc. and
SonicWall.
For the small or midsize company
that doesn't want to get
into the security business, outsourcing
is a good way to fill the
void. A managed security provider
can provide round-theclock
services such as network
monitoring and firewall implementation
for perhaps $10,000
a year, much less than it would
cost a small firm to handle such
tasks on its own.
Outsourcing has worked well
for Quinn Millington, chief operating
officer and head of IT at
Acworth, Ga.-based PT Solutions
LLC, which operates physical therapy
offices at 13 locations in two
states. Millington says that as
the three-year old business has
grown, it's become impossible
to run the company on a couple
of computers and e-mail. So he
hired local Atlanta consultants,
Rocket IT, to handle technology,
including the company's security
basics: anti-virus software, spam
control, firewalls and wireless
network security.
Unlike Stonebridge Bank's
Rapp, Millington doesn't worry
much about his security situation—
but then, his needs are less
extreme. He primarily wants to
make sure billing data is kept
safe, that his wireless network
isn't open to snoops in the parking
lot, and that he doesn't provide
a sitting-duck target to "the
goofball who should be in a math
class somewhere but is screwing
around on the Internet."
The goofballs, of course, are
not the main problem anymore—
it's the professional
criminals who are making CIOs
worry. Security technology has
improved in the last few years,
and there are plenty of strategies
companies can pursue. The only
wrong move for a small business
to make is to ignore the threat to
its information security.
The Confidence Game
Are You Safe
