IT security concerns are vexing for almost every business. But at small and midsize companies, limited IT staff and resources make it especially hard to keep on top of the ever-shifting security environment. One thing is certain: In today’s world, no business is too small to be a target.
“Attackers are always looking for the path of least resistance,” says Dean Turner, senior manager for Symantec Corp.’s Security Response Team. “Small and medium businesses shouldn’t think they’re immune just because they’re too small. That’s precisely what network attackers want you to think,” Turner says. Matt Medeiros, CEO of Sonic- Wall Inc., which makes a variety of security equipment, says that in the three years he’s been at the Sunnyvale, Calif-based firm, attackers have stopped trying to take down company networks and instead have shifted to trying to infiltrate them.
So let’s be clear here: Small and midsize businesses are a target for malicious hackers, and they need to be every bit as protected as their larger business brethren. But even the biggest firms spend only about 6 percent of their budgets on IT security. And smaller firms may not even earmark a specific budget line for security spending, or have a security specialist on staff.
At Stonebridge, George Rapp, senior vice president and director of information systems, is charged with securing the workings of the small Internet banking system with $400 million in assets. He does this with two IT employees and a total IT budget of about $400,000, which he guesses a large bank could spend on IT in a day or two. About 10 percent of that budget, or $40,000, might go for security spending at Stonebridge. With limited funds, Rapp must guard against the bank’s daily hacker attacks, many without any warning signs.
Rapp and one of his two IT employees are certified in security by SANS Institute, and Stonebridge Bank’s security is good. Even so, he confesses that, faced with an ever-multiplying set of security threats, “we assume we are going to get broken into every single day,” says Rapp. “I don’t sleep well at night.”
While that doesn’t actually happen, Stonebridge uses both security practices and financial controls on the back end to give the bank a double dose of defense. The main line of defense is to follow the “principle of least privilege,” that is, to deny as much access as possible, both to systems and people. There’s risk in this approach, because it makes internal and external communications more complex, and increases the number of potential points of system failure. For instance, if a customer makes a transaction, the bank does not send an e-mail from the transaction server—the transaction server cannot make outbound connections. So e-mail messages are relayed among several internal systems, until they get to the system that is allowed to send data beyond the firewall.
“It’s a major pain for me,” notes Rapp, “but we have to do it, because we are so small and get hit so hard.”