How to pick the right defenses

Analysts Anil Miglani and Jackie Chan show how resource-strapped SMBs can cope with the onslaught of security threats.

Every week, new stories appear about computer viruses, worms, Trojans, hack attacks and e-mail scams, all of which can have potentially devastating effects. SMBs are not spared from such threats.

With the increasing availability and affordability of broadband access, more small and medium-size businesses (SMBs) are connecting their IT networks to the Internet and expanding their use of remote network connectivity. In addition, SMBs are increasingly conducting business over the Internet, making electronic payments and other financial transactions, so their risk has gone up significantly. Such risks are not limited to just their own business but to all those with whom they conduct electronic transactions, including customers, suppliers and other business partners.

Not surprisingly, many large businesses now require SMB partners to implement IT security. Breaches can result in loss of important data, disruption in business and even damage to the business' reputation. It is important, therefore, that SMBs take a comprehensive approach to IT security and adopt all reasonable measures to protect their information.

The big question: What If?
The first step in designing a security system for any business is asking some key questions. What would be the business impact of a major security breach? What if the data stored on PCs or servers is corrupted by a virus and rendered unusable? What if the hard drive fails, resulting in a total loss of data? What if the Web site is attacked, preventing customers from placing orders or if critical customer data is stolen?

The answers to such questions can be very revealing. SMBs may realize that potential costs for IT security breaches include not just replacing a hard drive or stolen laptop, but loss of business, damage to their reputation and even potential legal liabilities. In some cases, lost data may be irretrievable, rendering its cost inestimable.

Thousands of software vulnerabilities are discovered each year. The time between the discovery of new vulnerabilities and related virus attacks is shrinking.
Assess your security needs
However, using these individual security applications can be cumbersome for SMBs that often don't have any IT staff to manage them. Such businesses may consider using integrated security appliances or managed security services.

Start with the network basics: Antivirus, antispam, firewall, intrusion detection
Most people are familiar with antivirus, which is now the most common type of protection. SMBs can install antivirus software and use real-time scanning on their PCs, network gateways and e-mail servers. Many businesses have antivirus software installed on multiple levels instead.

In the last couple of years, businesses have begun adopting antispam software to control unsolicited mail. In addition, firewalls can be very useful in preventing outsiders from accessing your system and preventing unauthorized software from connecting to the Internet. Microsoft now has a firewall built into its Windows operating system but many businesses may want to install firewalls that allow better control over which applications are allowed access.

However, using these individual security applications can be cumbersome for SMBs that often don't have any IT staff to manage them. Such businesses may consider using integrated security appliances or managed security services.

Many security vendors such as Symantec, McAfee, Fortinet, NetScreen and SonicWall have security appliances that provide integrated security. The advantage of these appliances is that a single piece of equipment can potentially provide all commonly needed security products like firewalls, VPNs, antivirus, antispam, intrusion detection. Many vendors also offer subscription services that automatically update the software in their appliances. Given their lower maintenance requirements and comparatively lower total costs, these appliances have become quite popular in recent years.

Another emerging trend is managed security services. Instead of installing various security products on customers' premises, the vendor offers security as a service over the Internet. Customers get the benefit of continuously up-to-date security without having to manage the products in-house.

Cover all systems that connect to your network
In addition to the PCs used within their premises, businesses also need to protect portable PCs, handhelds, wireless networks and home PCs used by employees. The important thing to remember is that their network security is only as strong as the weakest link. If portables devices that connect to the network are unprotected, they could get infected with viruses and pass their malady on to others on the network.

Update your software
New viruses, worms, Trojans, etc. keep emerging constantly. In order to protect against these threats, SMBs need to update their software regularly. Fortunately, most security vendors allow their subscribers to update their software over the Internet with minimal effort.

In addition, thousands of software vulnerabilities, including those in operating systems, are discovered each year. The time between the discovery of new vulnerabilities and related virus attacks is shrinking.

Thousands of software vulnerabilities are discovered each year. The time between the discovery of new vulnerabilities and related virus attacks is shrinking.
To protect against such vulnerabilities, software vendors often release patches to cover newly discovered vulnerabilities in their products. SMBs need to install such patches regularly. They can also use patch management software like iPatch from Symantec that keeps an inventory of the operating systems as well as other software installed on PCs, their release versions, installation dates, and patches installed. It also automatically obtains information on new patches from the software vendors and allows the businesses to install them at pre-scheduled times.

Control access to your IT systems
It is crucial to develop a strong security policy framework and communicate it clearly to all employees. This includes policies on who has access to which resources. Access to critical resources should be password-protected and employees should change their passwords periodically. Passwords should not be based on easy-to-guess words and should not be written down anywhere or shared with others.

Protection from internal employees
While most media coverage on IT security focuses on threats like viruses and spam, businesses suffer far greater damage from deliberate sabotage from disgruntled employees. It is important therefore to control access to the IT systems. When employees leave or are terminated, their access should also be terminated immediately.

Backup, backup, backup
Hard disks fail, portable PCs get stolen or lost and even the best security systems can sometimes fail. It is important, therefore, to back up all data that is critical to your business. Depending upon the criticality of the data, it may need to be backed up daily or even more frequently. Many businesses back up their data at remote locations to guard against events might make the primary business location unusable, such as flood, earthquakes and fires. In such cases, data from remote locations can be restored quickly so that business can continue uninterrupted. Test restores should be performed regularly to affirm validity and usability of backups and backup logs should be used to track date, media, method and status.

Review and update your security systems regularly
The nature of security threats changes constantly and vendors keep introducing new products to manage them. SMBs need to review their security systems periodically and update them to ensure they remain adequately protected. Security is now a core business requirement and dealing with security on an ad-hoc basis is no longer adequate.

The reality is that all organizations, big or small, need to be concerned about information security because the impact of security breaches can be severe and even devastating. SMBs tend to get intimidated by the technical jargon of IT security experts. Many also falsely believe that IT security is costly to implement. Investment in IT security is like an insurance policy: a little premium paid upfront can help a business avoid potentially devastating results in the future.

Anil Miglani is vice president and Jackie Chan senior analyst of AMI-Partners, a New York-based research firm with a strong focus on global SMBs, providing an integrated go-to-market perspective across enterprise market sectors.