Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IT Security in the SMB - Follow-up

Published: 2008-02-17
Last Updated: 2008-02-17 19:58:39 UTC
by Brian Granier (Version: 1)
0 comment(s)

Two weeks ago, I posted a call for input asking for feedback from people in the field for the Small to Medium Business from the diary entry at

 I want to take a moment to thank all of you that responded. While the sample taken from the response is relatively small, there were a few common themes in the responses that were received.

 First, it does appear as if the integrated all-in-one style products have definitely been a step in the right direction. However, independent of additional pressure, the indication seems to be that more times than not, security stops there. This is unfortunate as it appears that there is still a large segment of this community that can be sold on edge device or perimeter defense mechanisms and then they believe they are done.

Second, this market space very often has the specific complication in that there is very often no full time IT staff. Technical support issues are sometimes a collateral duty for another position or it is brought in on a consultant basis as needed. However, "as needed" typically involves reactive instead of proactive drivers resulting in an inability to apply proper preventive techniques until it may be too late. Taking it a step further, in the event that a company does have an in-house IT employee, it is more likely that this person will be focused on production and production support issues which will sometime interfere with IT security controls.

Third, I was very happy to receive some stories that indicate a successful integration of IT security into the SMB space. However, I did notice that the underlying reason for this success has been due to external business pressure. This observation is consistent with my own experience in the field and is likely a key identifier as to whether the SMB market space is going to be "doing the right thing" to protect their systems and networks. Regulatory compliance requirements have helped some, but pressure from clients appears to have reigned supreme in pushing movement in this area. If, in order to do more business, a company must pass a third party IT security audit, then the SMB business leader can make a direct correlation between an ability to present an environment that is well protected with an ability to gain new business. It should be no surprise that this direct of a tie between good security practices and the bottom line is a very powerful motivational factor.

Finally, in conjunction with the first observation, I am very concerned about some of the responses that seem to indicate that SMB leaders very often unintentionally or intentionally ignore the insider component. Because they have a secure perimeter device, they tend to not see the need to protect the internal end-user devices. These devices often lack anti-virus, have no patch management processes and do not use anti-spyware/ad-ware solutions. Further, my observation is that in an SMB company, there is a much higher level of trust given to internal employees. In these companies, everyone usually works out of the same office and everyone knows everyone. This makes for a hard sell in many cases when it comes to deploying security tools and practices that are typically associated with a lack of trust of internal staff, such as proxy servers.

So how can we use this information? Well that depends who you are.

I anticipate that most of the people reading this article who deal with the SMB space are going to be consultants. I'm probably not telling you something you don't know, but if they are using your services, they are most likely looking for a silver bullet. All you can hope to do is educate them without making them feel like you're just there to suck them dry of every dollar they have to spare. Keep in mind that there will not be people on staff monitoring and maintaining the environment, so as much automation to patch maintenance and updates as possible is going to be key. Try not to stop at perimeter security and if the client is unwilling to pay for a commercial anti-virus/anti-spyware product, deploy one of the many free ones that exist out there today. When new security issues or threats come out that have a very simple fix, try to communicate this to your customer base in a manner that can allow them to fix themselves without having to call you. Keep in mind that SMB businesses tend to be fragile and come and go on a constant basis. If you can do your part to help them be successful, you will be helping yourself by increasing their probability of overall success as a business, which will mean more business for you in the long term. Even if the client's business goes under, business leaders talk with each other and word of mouth advertising will work in your favor.

If you are the one-man IT staff in an SMB market space, your company is already head and shoulders above others in this field. If you're reading this article, you're even another notch up from that because you are already interested in IT security issues and are hopefully applying this concern and knowledge in your environment. I want to urge you to think about the security objectives you are having difficulty getting implemented and try to find a way to prove a tie to the bottom line or a return on investment. This is a challenge, but is the most effective method to break down the final barrier. Also, think about areas of your job where you are sacrificing security principles in order to "just get the job done". Can you educate your higher ups about why this is not a very good idea without putting your job at risk?

If you are an SMB business leader and reading this article, I applaud you. Thank you for working to understand the reality of IT security in your business. Educate yourself on what regulatory compliance issues affect your business. If you are in a position where you do have an internal IT staff, does that person have enough autonomy that they can tell you or other executives within your business that they are asking something that puts your company at risk? Can you give them a way to say "that's a bad idea" without putting their job at risk? You want to listen to their concerns and behave accordingly. Even if you decide to say, "I understand your concerns, but I want to do it anyways" the mere fact they feel comfortable expressing concerns and can be taken seriously when they do will make a big difference. If you are hiring a consultant to handle these needs, I would like to encourage you to build in routine "maintenance" calls to have them come by and just do a general health check on your systems. Depending upon the criticality of your IT assets, this could be weekly or monthly. They should do things such as, check for any patches required, assess if there are any hardware issues that need to be addressed, ensure that both perimeter and internal defenses are all up to date and are doing their job and finally, review logs on perimeter defense devices, end-user workstations and servers to determine if there are any warning signs of a problem. While you have personal interaction with your employees and probably have a high degree of trust, when it comes to IT security, this can interfere with doing the right thing. Even if your employees’ intentions are in the right place, they can often do things to put your business at risk unintentionally, so do not dismiss processes, tools or technologies that you perceive as calling into question whether your staff can be trusted.

0 comment(s)
Diary Archives