Security check - the SMB challenge

For smaller companies, finding the resources to adequately meet the new challenges can be an opportunity for resellers says Brian Dooley

Evolving IT infrastructure is bringing a range of new issues in areas such as cloud IT, virtualisation, and mobility. For resellers, new opportunities that are emerging can provide business even where spending in other sectors remains low.

However, the security sector is a complex territory, requiring a great deal of commitment and support. Some involvement in security is essential; but focusing upon this area requires trained personnel and a consultative approach. There are many facets to the business and important niche markets to be explored.

Analyst firm Frost & Sullivan follows global technology markets, and has been tracking New Zealand security issues. Of particular interest here are the problems faced by smaller businesses. “Unlike large enterprises, SMBs often lack security specialists who can formulate proactive strategies to ensure an adequate security posture,” says analyst Arun Chandrasekaran. “Hiring and retention of security specialists also continues to be a challenge for SMBs in tight IT labour market here. Overall, security is a combination of people, process and technology. But there tends to be an overriding focus on technology, with less emphasis on employee training and industry best practices in the SMB sector.”

SMBs are faced with many of the same risks as larger firms without the same resources. This makes planning for security an imperative. Chandrasekaran notes that a range of new technologies are having a disruptive effect upon IT and creating new security issues. These are:

* Virtualisation and cloud computing.

* Incursion of social media in the business realm.

* Organisation mobility and growth in remote users.

“SMBs need to move from a reactive threat management approach to a proactive risk management approach,” says Chandrasekaran. “They need to combine people, process and technology and ensure adequate investments in all three and constantly adapt their internal security framework to the dynamic external environment.”

Recent events have also caused companies to focus upon disaster recovery as a component of overall security. “Businesses need to formulate plans and conduct business impact analysis on the impact of loss of critical systems,” says Chandrasekaran. “Maintaining confidentiality, integrity and availability of information is of paramount importance. The risks from natural disasters can be mitigated by having a thorough DR plan that has been pre-tested and proven."

For resellers, security can be a critical sales area. “Security is a specialised function and needs significant investments in terms of people and process,” says Chandrasekaran. “It is and will continue to be an area where customers spend significant amount of their IT budgets. It is largely recession proof and thus could offer investment protection for resellers during the tough times. To ensure value creation and garner higher margins, resellers need to move up the value chain beyond mere product resale.”

Cisco is well known for routers and switches, but often gets overlooked for security, according to security expert John-Paul Sikking. “In fact, Cisco is a leader in almost all security categories, including firewalls [physical and virtual], VPNs/secure mobility, IPS, identity management, network admission control, content security [web and email], physical security and video surveillance.”

As a network-focused company, Cisco takes an architectural view of security using the network as the platform to enforce security policy.

“Security should be a mindset that encompasses every business process and transaction, inherent in everything we do in our businesses,” says Sikking. “It is important not to be blinded by just addressing technological risk. As we have seen in Christchurch, a destroyed building is just as dangerous as a hacker in stopping your business in its tracks. It is necessary to think more about the security of the business continuing to function; then, the security and technology requirements will be obvious.”

Cisco sees three keys areas for current security investment:

* Secure mobility such as iPads in the corporate network.

* Datacentre security with growing virtualisation.

* Content security, including developments in email, social media, and other web content.

“It is always a challenge for SMBs to find the resources needed to adequately address the risks to their business,” says Sikking. “Companies often implement technology solutions to address what are in fact people or process issues; they then assume a level of comfort because they are now “secure” since they have a security appliance.

"New issues are always emerging. As soon as we plug one gap, the attackers will find another. The big changes, however, are that we are seeing combined attacks and a real step-up in the level of sophistication and focus of attacks."

Examples of evolution in recent attacks include:

* Attacks on physical systems that are not connected to the internet, such as Supervisory Control and Data Acquisition (SCADA) systems – with Stuxnet being the best recent example;

* Hacktivism, using the internet to rally attackers for political purposes – with Anonymous and LulzSec providing recent examples;

* Increasing attack surface, as targets shift to mobile devices and increasing attacks against Apple technology;

* Social networking and exploiting of trust relationships – with Koobface providing a good example;

*Targeted attacks as hackers move from high volume spam to very specific and targeted email/web attacks.

Recent evolution within IT is creating new threats in areas such as virtualisation, cloud computing, and mobility. “Cloud services and virtualisation creates a much larger attack surface and different risks,” says Sikking.

“We have had robust physical network controls for years but are really only now getting up to speed with being able to secure the virtual networks appropriately.

"In mobility, smart phones and mobile devices are about to overtake the sales of PCs this year. This creates a huge target for attackers, especially where you can potentially control millions of internet connected devices with a single exploit.”

Cisco is now seeing regular attacks against mobile users with malicious applications and direct attacks against the operating systems. Attacks on social media services are also crossing over to mobile platforms, where users are not able to get the level of antivirus protection that they have on their PC.

“In protection, there has been a shift towards Unified Threat Management devices, and they are well received within small business,” says Sikking. “These devices combine a suite of security features into a single appliance — a jack-of-all-trades, approach.

"This allows some limited management benefits, but only with regards to the functions of the appliance. The SecureX architecture from Cisco is making steps toward enabling centralised management and visibility across all the network and security devices.”

For resellers, Sikking believes that non-participation in the security area is not an option. “All resellers are already participating in this sector, whether they want to or not,” he says. “Some are able to help a company secure its business; others may sell potentially insecure solutions that will add risk to an organisation, either way, they are impacting the security of that business.”

International IT security firm Trend Micro has been following a range of issues within this sector as IT usage and infrastructure continue to evolve. In New Zealand, security issues for small business are of increasing importance. “Small businesses have an increasing desire to do business online, yet are often unaware of the pitfalls,” says ANZ partner manager, Adam Biviano.

“Doing business in the cloud offers a way to escape the bounds of physical location but few small businesses have the confidence to truly embrace it. Problems such as safe handling of credit card data and personal information, managing an ever expanding mobile workforce and protecting data stored on mobile devices are all top concerns.”

The spate of natural disasters across the region (Christchurch, Japan, Brisbane) demonstrated the true power of the cloud when it comes to business continuity. There were many examples of business operations where their physical offices were affected by these events. The cloud provided ways for business to either continue operating during this time or to speed up recovery afterward. It offered ways of ways of storing critical data remotely, as well as platforms to provide services to customer bases even if physical offices were offline.

“Of course to take full advantage of these advantages business need to be confident that their data, and thus their business, will not be put at any greater risk by leveraging these technologies,” says Biviano.

The threat of malware is still the predominant problem for businesses. If a company’s IT assets are compromised by malware, it could mean that their customer data becomes compromised. The threat landscape today is increasingly motivated by profit, so business need to understand that a security breach could have serious ramifications to the bottom line – and even to the existence of a firm.

Resellers need to stay close to the trends in the security sector. “Messaging and technology moves quickly, so resellers need to build close relationships with the vendors who specialise in this sector,” says Biviano. “They need to learn how to leverage the resources on offer by the vendors so that they can capitalise on the services and product opportunities that abound.”

Mako Networks provides a system that secures the payment networks of small- to-medium-sized businesses. The system allows SMBs to securely manage their internet connection, and helps ensure that their payment system complies with new rules from the credit card companies known as the Payment Card Industry Data Security Standard (PCI DSS).

“Large companies are under immense pressure to harden their defences against fraud and cybercrime,” says business development director, Simon Gamble. “Thanks to regulations like PCI DSS, they’re required to meet a high level of security, particularly in regard to how they handle credit card data. As a consequence, criminals are turning their attention to smaller companies without the IT knowledge or budgets to protect themselves.”

When it comes to data breaches, SMBs can be a treasure trove of data for criminals. Moreover, fraud is doubly costly for small businesses. For SMBs, there's no 'zero liability' agreement with creditors as there is for most consumers. SMBs may be held liable for fraud losses, at a huge cost to their businesses.

“The internet is being used for critical communications more often than in the past,” says Gamble. “Many medium-sized businesses are beginning to shift their private networks onto the public internet, connected using Virtual Private Networks (VPN). Connecting to the Internet brings many benefits to the business, but also incurs a responsibility for maintaining security in an inherently insecure environment. Whenever a computer is connected to the broader internet, even if via VPN, it is exposed to the myriad threats that exist in the web. There is an onus on the business to upgrade their security to an acceptable level.”

Resellers need to be well-versed in the security issues of their clients, particularly if they are involved with payment systems and require PCI DSS compliance.