AOH :: ISN-3297.HTM

Small companies ignorant of security?

Small companies ignorant of security?
Small companies ignorant of security?


http://news.zdnet.co.uk/security/0,1000000189,39284792,00.htm 

By Tom Espiner 
ZDNet UK
20 Nov 2006

Small businesses must become more aware that they are the potential 
victims of cybercrime, according to former White House security advisor 
Howard Schmidt.

Speaking at an IT security event organised by managed services 
specialist Claranet at the House of Lords on Monday, Schmidt said all 
businesses are at risk through a lack of proper configuration of 
security equipment, or through not taking proper security precautions.

"SMEs are not aware of being a potential victim spending 40 per year on 
antivirus is not a high priority," he said. "SMEs have to realise that 
just because they are small, it doesn't mean they won't be targeted. Bad 
guys target wherever they can get money."

Ninety percent of small businesses and consumers install antivirus, but 
10 percent never update the signatures, according to Schmidt. Small 
businesses with limited staffing resources simply do not have time to 
devote to cybersecurity issues, he said.

As well as malware, organisations need to be aware of important data 
leaving the company, often through human error. Employees using 
file-sharing networks are often not aware of the security implications, 
said Schmidt.

"Individuals working on peer-to-peer networks often don't realise 
they're sharing the whole contents of their drive. You can find Homeland 
Security vulnerability assessment documents online from employees [using 
P2P]."

However, Schmidt said that SMEs will eventually start using managed 
software security services, with third-party providers managing both 
low-cost application level security and end-point hardware.

"Eventually we'll move to a model of software as a service, with a 
low-cost environment of managed security services," he said.

However, application software should have security built in from the 
beginning, according to Schmidt, who said he looks forward to a time 
when software will be able to configure automatically to a user's 
system, and detect attempted security breaches.

"I don't think the end user should protect themselves. It's like safety 
in new cars built in. They want automatically self healing and self 
configuring software," said Schmidt.

Small business must take security into account in their planning, and 
decide whether to outsource security, invest in training, or allocate 
more resources. "Training is important because we don't know what we 
don't know," said Schmidt.

If a small enterprise does have a full-time IT manager, they should 
familiarise themselves with security standards such as ISO 17799, said 
Schmidt. "IT managers need to follow best practices they should know 
what security applies to which devices. The trouble is many times 
they're far too busy."

Charlie McMurdie, detective chief inspector with the computer crime unit 
of the Metropolitan Police, told ZDNet UK that "SME security is 
disjointed at the moment".

McMurdie said that computer security should follow common sense 
procedures. "If you had a house, what traditional measures would you 
have around the premises? Who has a key? People need to apply the same 
common sense to internet security. Stand back and look at who has 
access, who has a password."

Schmidt is on the board of directors for Fortify a company that sells 
source code analysis tools.


_________________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn

Site design & layout copyright © 1986- CodeGods