Security: On a BudgetBy CIOinsight | Posted 11-06-2006
Security: On a Budget
IT security concerns are vexing for almost every business. But at
small and midsize companies, limited IT staff and resources make it especially
hard to keep on top of the ever-shifting security environment. One thing is
certain: In today's world, no business is too small to be a target.
"Attackers are always looking for the path of least resistance," says Dean Turner, senior manager for Symantec Corp.'s Security Response Team. "Small and medium businesses shouldn't think they're immune just because they're too small. That's precisely what network attackers want you to think," Turner says. Matt Medeiros, CEO of Sonic- Wall Inc., which makes a variety of security equipment, says that in the three years he's been at the Sunnyvale, Calif-based firm, attackers have stopped trying to take down company networks and instead have shifted to trying to infiltrate them.
So let's be clear here: Small and midsize businesses are a target for malicious hackers, and they need to be every bit as protected as their larger business brethren. But even the biggest firms spend only about 6 percent of their budgets on IT security. And smaller firms may not even earmark a specific budget line for security spending, or have a security specialist on staff.
At Stonebridge, George Rapp, senior vice president and director of information systems, is charged with securing the workings of the small Internet banking system with $400 million in assets. He does this with two IT employees and a total IT budget of about $400,000, which he guesses a large bank could spend on IT in a day or two. About 10 percent of that budget, or $40,000, might go for security spending at Stonebridge. With limited funds, Rapp must guard against the bank's daily hacker attacks, many without any warning signs.
Rapp and one of his two IT employees are certified in security by SANS Institute, and Stonebridge Bank's security is good. Even so, he confesses that, faced with an ever-multiplying set of security threats, "we assume we are going to get broken into every single day," says Rapp. "I don't sleep well at night."
While that doesn't actually happen, Stonebridge uses both security practices and financial controls on the back end to give the bank a double dose of defense. The main line of defense is to follow the "principle of least privilege," that is, to deny as much access as possible, both to systems and people. There's risk in this approach, because it makes internal and external communications more complex, and increases the number of potential points of system failure. For instance, if a customer makes a transaction, the bank does not send an e-mail from the transaction serverthe transaction server cannot make outbound connections. So e-mail messages are relayed among several internal systems, until they get to the system that is allowed to send data beyond the firewall.
"It's a major pain for me," notes Rapp, "but we have to do it, because we are so small and get hit so hard."
Multiple Paths to Security
Within the overarching strategy of limiting access, Rapp has adopted a variety of tactics. He watches his budget by using open-source tools wherever he can, such as the OpenOffice application suite, in place of Microsoft Office. He brings in automatic tools from service providers, such as Qualys Inc., to run daily vulnerability assessments and weekly penetration tests. And he uses a commercial open-source monitoring platform from Applied Watch Technologies LLC for intrusion detection and prevention.
On the other hand, Rapp finds himself avoiding some technology that could help his operations. For instance, he likely won't adopt a service-oriented architecture, though he'd like to. SOA is designed to make it easy to share information among systems, but he worries that its emphasis on the use of the XML protocol raises big security questions. "It's very hard to detect XML hacking," he says.
Businesses less threatened than a bank would do well to learn from Rapp's pragmatic spending approach, says Gartner Inc. analyst John Pescatore. "You've got to focus your security dollars where they'll make the biggest impact," he says.
Many free security tools are available in commercial software that companies already have installed, and there are products designed to help small businesses in particular. CIOs can turn to software that manages security updates across multiple locations, such as HFNetChck- Pro from Shavlik Technologies LLC, or utility security appliances that combine features such as a firewall, anti-virus tools, intrusion detection and network monitoring, from vendors such as Fortinet Inc., Cisco Systems Inc., Juniper Networks Inc. and SonicWall.
For the small or midsize company that doesn't want to get into the security business, outsourcing is a good way to fill the void. A managed security provider can provide round-theclock services such as network monitoring and firewall implementation for perhaps $10,000 a year, much less than it would cost a small firm to handle such tasks on its own.
Outsourcing has worked well for Quinn Millington, chief operating officer and head of IT at Acworth, Ga.-based PT Solutions LLC, which operates physical therapy offices at 13 locations in two states. Millington says that as the three-year old business has grown, it's become impossible to run the company on a couple of computers and e-mail. So he hired local Atlanta consultants, Rocket IT, to handle technology, including the company's security basics: anti-virus software, spam control, firewalls and wireless network security.
Unlike Stonebridge Bank's Rapp, Millington doesn't worry much about his security situation but then, his needs are less extreme. He primarily wants to make sure billing data is kept safe, that his wireless network isn't open to snoops in the parking lot, and that he doesn't provide a sitting-duck target to "the goofball who should be in a math class somewhere but is screwing around on the Internet."
The goofballs, of course, are not the main problem anymore it's the professional criminals who are making CIOs worry. Security technology has improved in the last few years, and there are plenty of strategies companies can pursue. The only wrong move for a small business to make is to ignore the threat to its information security.
The Confidence Game