Security Holes at Small Companies


by Ericka Chickowski

Last week at RSA I participated in a roundtable discussion of the unique challenges small to medium sized organizations face in implementing sound security practices.

I sat down with Jon Oltsik, Senior Analyst for Information Security at the Enterprise Strategy Group; Candy Alexander, Information Security Manager for Greenland, N.H.-based Long Term Care Partners; and several executives with ArcSight, which sponsored the event. One of the hot-button issues we touched on is the fact that many organizations must address the same threats large enterprises face, but with only a fraction of the budget.

"The only difference is scale," Oltsik said. "We see bad guys going after smaller regional players who they know won't have the resources to protect themselves."

That gap in resources is typically most prevalent when it comes to people, said Oltsik, who believes that even those SMBs that are mature enough to deploy security technology very often rely too heavily on it and fail to address the underlying business processes that leave their organizations insecure.

Meanwhile, the technology itself is a big 'if,' because many SMBs aren't even that security aware. According to a Symantec survey released this month, 59 percent of SMBs have no endpoint protection, and 47 percent have no desktop backup and recover. Even more startling, a McAfee survey conducted last year found that 45 percent of SMBs don't think they're a valuable target for cybercriminals.

A government administrator of benefits packages, Long Term Care Partners at least has the benefit of Alexander's experience. A long-time veteran of the security industry, Alexander recognizes the dangers security threats and non-compliance with regulations poses to her organization, which includes about 250 people. Her advice to the SMB community is to come to grips with the environment, which means an analysis of the logs is critical. She believes automation is key for reviewing logs and other security activities, as manual processes are rarely cost effective, particularly if an organization is short on technical staffers.

The sad truth is that few smaller organizations even have a security pro like Alexander in their organization. In fact, many run IT with a skeleton crew or even a one-man-band.