Below are some key take-aways from an online audio discussion and chat about security for small and mid-sized businesses (SMBs) that featured Richard Stiennon. Richard is the founder of IT-Harvest, an independent analyst firm, and is followed widely through his security blog, ThreatChaos.com. He was formerly chief marketing officer for Fortinet and VP of Threat Research at Webroot Software. Richard was also a VP of Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services.
The event was part of the Online Audio Series at www.TheSecureSMB.com, which is open to everyone with complementary registration. An archive of the audio portion of the chat with Richard is available at http://tobtr.com/s/2173105. Many thanks to The Secure SMB team and all of the chat participants for their energy and insights, which generated some of Richard's most interesting comments.
Social Media and Security: Social media today is like the Web a few years ago – significant security risks and threats, but too many business opportunities to ignore. Social media also creates and intensifies the need for business and IT decision makers to examine and improve their security policies, practices, processes and technologies.
Security, Social Media and SMBs: SMBs are in a particularly difficult position. Social media presents opportunities for them to compete more effectively with larger companies. But SMBs have few resources to invest in security or IT. This makes them both dependent upon technologies like social media and more vulnerable to technology-borne threats. Even if good policies are in place. Per Richard: "Even if you require the security guy to put the passwords in an offsite safe he invariably changes them (as he should) the day before he gets hit by a truck."
Security and Telecommuting: Companies large and small can benefit significantly from supporting the ability of executives, IT support staff and other workers to work from home or while on the road. However, those supporting telecommuters and traveling workers must weigh and balance security concerns carefully. This is particularly true regarding the "bring-your-own-computer" ("BYOC") initiatives growing in popularity among many companies.
Per Richard: "I think it is unfair for [companies] to expect their employees to work from home without supporting them with technology. The risks are way too high with personal devices, especially laptops. Give them locked-down computers. If they want to browse inappropriate stuff or play games they can do that on their home [or personal] device. Now Netflix when you are on the road – that is different…"
The IT Staff "Threat:" If a company has an IT staff, everyone on that staff becomes a potential point of vulnerability. Especially if that staffer becomes disgruntled. And this is even more of a problem at SMBs where all IT responsibility is in the hands of a single individual.
Per Richard: "There has to be a very large degree of trust there. And yes, there are some scary stories about disgruntled IT guys. [In a] recent one, the guy left the office after being fired, went to a local McDonalds, used their free Wi-Fi to log back in to the [corporate] network and erase every VM [virtual machine] in the data center. Ouch!"
The Best Defense: Whether a company is a global enterprise or emerging SMB, no security technology alone will provide adequate protection. What's needed is a combination of technologies, selected and supported by solid policies, practices and processes. These must work in concert to ensure that there are no single points of vulnerability and that critical resources are protected, regardless of where they or their authorized users may be. And protections must apply to everyone, including executives and IT staffers.
Per Richard: "IT guys tend to assume their own rules do not apply to them. I was called in once because a small company discovered [that its Webmaster] was running a BitTorrent server [typically used for sharing of movies, music and games] on their main Web server. A little forensics work and he was gone. The right solution is in checks and balances. No one person [can have] complete control over the keys to the kingdom. Just like accounting systems."