Security viligance essential against threats

special report As SMBs turn to online resources and new technologies, they face increasingly targeted security threats from cybercriminals eager to strike.
Written by Sol E. Solomon, Contributor

Small and midsize businesses (SMBs) today have much to worry about in terms of security, ranging from threats that take advantage of the current recession to those that exploit user behavioral patterns.

Ong Geok Meng, McAfee's Asia-Pacific and Japan anti-malware research manager, said threats leveraging the economic downturn have emerged, disguised as advertisements aimed at SMBs looking for attractive offers for services such as legal, financing, recruitment and even free security tools.

"Often, computer users do not realize that cybercriminals are lurking behind the guise of seemingly legitimate services," said Ong, who is based in Singapore, in an e-mail interview. Phishing sites, spam and fake security software are made to look real, and in some cases, hackers penetrate legitimate sites and use these as vehicles to host malware, he added.

Security threats are also undergoing some form of localization. In the past, Ong said, threats were not targeted at specific regions, cultures or languages, and there is still a perception that Internet threats are made for English-speaking users.

Ways to minimize risks
1. Layered security: Deploy "defense-in-depth" strategies for employees, including security patch updates. Deploy a personal firewall to control network traffic to devices. Enable security settings on Web browsers and disable file-sharing. Teach users to establish strong passwords with at least eight characters and a combination of numbers, letters and special characters. Passwords should be changed every 45 to 60 days.
2. Network access control: All network-connected computers and inbound/outbound traffic should be monitored for unauthorized entry and malicious activity. Ensure infected computers are removed from the network and disinfected. Also, create and enforce policies that identify and restrict applications that can access the network.
3. Stay informed: Several security vendors publish reports on their Web sites that help define the threat landscape for SMBs.
4. Physical security: SMB employees can use a number of routine physical security tactics to help strengthen their companies' security defenses. These include screen-locking when the user is away from the computer, shutting off the computer at the end of the day, locking laptops with a cable, and being mindful of the physical security of handheld devices.
5. Backup: An IT system can be brought down for various reasons, such as disaster, human error and hardware failure. It is critical to back up important data regularly, and achive extra copies of the information offsite.
Source: Symantec

"[However], as malware has become a lucrative business for the bad guys, we are seeing threats crafted specifically for targeted groups," he warned. "In regions where English is not a native language, they may be caught offguard with threats crafted in Chinese, Japanese, Bahasa or other local languages."

And cybercriminals are already taking advantage of online resources that are popular among SMBs to spread worms, such as online communities and recruitment Web sites, which smaller companies see as cost-efficient tools to help improve productivity, Ong said.

Security breaches in hand
Eric Hoh, Symantec's Asia South vice president and head of global accounts, said the growing use of consumer devices in the workplace has made such gadgets key security threats, too.

Servers, laptops and desktops are increasingly targeted by security attacks designed to compromise and steal company data, Hoh said in an e-mail. As users demand increased flexibility and access into the network via remote virtual private networks (VPNs), Web-based telecommuting and unmanaged devices, security threats are becoming more sophisticated and aimed at mobile devices, he said.

He added that increasing workforce mobility presents new challenges to information security.

"Mobile devices, while providing a means to increased productivity and flexibility, can be easily lost or stolen, and the data on them accessed by an unauthorized third-party if there is no security tool in place," he noted.

Ong added that with new technology comes new threats. "It is without a doubt that portable USB devices are increasingly popular, especially among SMBs. Removable hard disks, USB disks and even MP3 players, digital cameras and cell phones...are becoming a popular medium to spread the W32/Autorun.worm, which copies itself from computer to computer using the portable devices," he said.

Ong noted that user education remains key to mitigating IT risks, especially against social engineering and targeted threats. "Implement and enforce IT best practices in the company to ensure the use of strong passwords, limit user access to critical resources, and install only software that are essential," he said.

According to Hoh, SMBs often view and treat policy compliance as a separate activity, and fail to realize that compliance should be incorporated into their day-to-day business operations.

He added that security spending is one area SMBs cannot afford to overlook, even if these companies traditionally have limited IT budgets. "Having adequate security solutions in place will help SMBs reduce risks like downtime, identity theft and reputation and revenue loss," he said.

SMBs that rely on free security software get only a basic level of scanning and protection, and such tools do not give these businesses the security they need, Hoh said.

"To protect information and secure transactions in today's connected world takes more than 'bolt-on' security," Hoh said. "It takes integrated products and services that provide a holistic view into a business' security posture. It takes solutions that identify risks early so that steps can be taken to mitigate them and prevent an attack."

Editorial standards