Small Business, Big Security Problems

moustache_streetcar_640pxI was reading an article today that put some numbers to a problem I’ve been aware of for some time: inappropriate data transfers to personal equipment. While the basic story was not news to me (or many other security professionals I’m sure), it was interesting to see some numbers put to the scale of the problem. I’m amazed at how candid the respondents were to the survey. I suspect that some more may not have been entirely candid, so I would not be surprised if the scope of the problem is somewhat larger than portrayed. This is only one of a number of painfully common security threats to small business.

The first step is admitting that you have a problem.

Far too few small businesses take security seriously. The first reason is the same reason many large businesses don’t pay much attention either: they’re busy doing what they do best. They don’t want to be distracted from their core business. This is certainly understandable, especially when you’re starting a new business or on your own–there are some many things to do and not enough time. I don’t have a good answer for this conundrum. I’ve certainly faced it myself and there are always decisions to make about current priorities.

Reason number two is the belief that their business is not an interesting target. This is a misconception held by many owners and managers. They assume that because they’re small/don’t store credit card information/aren’t interesting that no one would want to attack them. You probably aren’t of particular interest to a cracker, but you don’t have to be interesting to be at risk, you just have to be an easy target.

I’ve seen this belief in the safety of boredom bite a number of friends and colleagues over the last few years. “It shouldn’t matter that my password is lousy, I’m not interesting.” Wrong! If your password is lousy (especially if it’s on this list), you will have your account compromised at some point. Crackers don’t care if they get your account, they just want accounts. It’s a lot easier to guess usernames for a short list of common passwords than to guess passwords where someone has chosen more carefully.

Housebreaking and car theft provide a good illustration of the basic economics of the situation. There is seldom a specific target, they are crimes of opportunity. Try enough doors and windows and you will find some that are open. The same applies to security on the internet. On the Internet, the thief doesn’t even have to check your doorknobs and windows, they simply assign robot to that task and then investigate when it finds something open. Often, even the thefts themselves are automated. The world of viruses, trojans, malware and botnets has created an environment where increasingly sophisticated programs scour networks looking for known entry points. When they find them, they simply do some standard data gathering for usernames, passwords, addresses, birthdates, credit card numbers and send the data home to mom like a proud child.

Even if you don’t have anything to steal, being vulnerable means that you will at least join the mighty botnets and become part of the attack platform to victimize others. Do yourself and the rest of the Internet a favour and take the problem seriously.

O dear. What should I do about it?

  1. Get some good advice. There aren’t a lot of security professionals out there, but there are some. Your current IT staff can probably help you at least get started. In fact, they’ve probably got a number of ideas already.
  2. Patch your systems. So simple, but so hard. It is truly depressing how many servers, desktops and laptops are running older versions of their operating systems susceptible to known threats. It takes time, but is a key line of defense.
  3. Use an effective firewall and keep it patched, but don’t assume it will stop everything. Exploits are an arms race and the defenders are always playing catch-up. There’s no shame in that, but it’s a reality.
  4. All data should be held in systems that require authentication. You should never assume that just because a device is on your network it is legitimate. This is a huge area of concern in almost all businesses—be vigilant.
  5. Develop and follow an effective password policy. Being the boss means you should care more, not feel justified in being a special case to keep the password you’ve used for everything since you were 17. I’ll say more on this in a future article as there is much debate about the best practises.

These are just the most common and easily explained problems. No list can be exhaustive. Did I mention that you should get some advice specific to your environment? Do it. You’ll be glad you did.

Keith Nunn has been a freelance Internet, systems and networking professional for finance, healthcare and for non-governmental organizations since 1993. His particular focus is in security and advanced IT planning. In his spare time he teaches whitewater canoeing, leads Scouts, builds furniture and plays guitar.