Security in small and mid-size businesses is more than just preventing viruses and blocking spam. Protecting your assets is the key to the long-term success of your business and the foundation of a strong IT infrastructure. What are the basic building blocks of a secure infrastructure?

In 2009, cyber crime is expected to increase as criminals attempt to exploit weaknesses in systems and in the people that use them. An overwhelming volume of malware can hit organizations. Viruses may spread through e-mail, Web sites, USB sticks, social and business networking sites, etc.

If an organization does not have a solid security policy and plan in place, the safety of the desktops, servers and all network devices (and all your data on them) will be at the mercy of the end user. Relying on the end user is not advisable or worth the risk.

The Small Business Administration estimates that 90 percent of companies that fail to recover data after a major loss are out of business within two years. Also, 54% of all business will find themselves the victim of data loss or cyber crime over the next three years.

The basic building blocks for a secure IT environment

• Model the threats to your business and have a third party perform a security risk assessment
• Develop an information security policy and educate your users
• Design a secure network, implement packet filtering in the router, implement a firewall and use a DMZ network for servers requiring Internet access
• Know your network. Harden your systems by removing unnecessary applications and maintain an aggressive program of patching operating systems and applications
• Offsite data backups with restoration plan
• Keep your systems patched
• Minimize exposure

In the SMB space, where you do not have the benefit of a dedicated team or individual whose sole responsibility is to keep your environment locked down, another option is managed IT services. For small business, this is a low cost, high reward solution. Services are provided on a monthly subscription, a recurring operational expense and include things like security.

As a business you must maintain best practices when it comes to securing your data and your infrastructure, the longevity of your business could depend on it.

Insider theft is on the rise. Displaced workers are abusing their corporate data access to steal, exploit and damage information networks. In a survey of 800 worldwide CIOs, more than 40% agreed that displaced employees were the biggest threat to vital information. International companies are estimated to have lost more than $1 trillion in intellectual property last year. What steps are taking to ensure your most precious asset – your data – is protected?

“This is a wake-up call because the current economic crisis is poised to create a global meltdown in vital information. Increased pressures on firms to reduce spending and cut staffing have led to more porous defenses and increased opportunity for crime. Companies need to stop looking at security as a cost center but as a business enabler,” said Dave DeWalt, president and chief executive officer of McAfee.

Many cases of businesses theft and data loss go unreported due to embarrassment, public relations nightmares and the possibility of losing customers. This practice may soon be coming to a halt. States are beginning to regulate data breach reports. California is paving the way for regulations in data theft incidences by requiring businesses to report a breach within 24 hours. We expect other states to follow suit with reporting requirements.

In a recent study by CERT and the Army Research Office, multiple cases of insider theft were studied for patterns of behavior. These cases all included prosecution where public information was readily available. The study suggested that dissatisfaction played a major role in 39% of the cases with denied raises, benefits, applications for promotion, requests for relocation and the threat of layoff from within the organization.

Most businesses believe in protecting the perimeter of the network. Little focus has been given to the inside. Insider threats include not only misconfigurations of access controls, which allow access into applications or data that should be restricted, but also snooping employees, corporate espionage and disgruntled employee theft.

Although most companies don’t regard inside security as critical as external security, the approach to both types of threats should be the same.

1. Security Assessment – ensure your devices are configured correctly and your policies and procedure back up your security stance
2. Penetration Testing – check your systems just like and outside hacker would
3. Security Enforcement – knowing your vulnerabilities is half the battle, fixing them is the other half
4. Perimeter Monitoring – round-the-clock monitoring to ensure speedy response to an attack
5. Internal Monitoring – protect your business from attacks against trusted users

Since insider attacks are specifically targeted attacks, it’s risky business not to proactively protect your organization.

The type of security threats on our networks is escalating. While tools exist to detect security leaks, they have no chance against skilled professionals with a reason to take something from your network. Knowing where you stand in terms of network security is no longer an option, but a necessity. The numbers associated with network security will shock you.

Studies show more security threats come from outside an organization, but an increasing concern relating to several types of internal threats persists. CSO Magazine’s E-Crime Watch Survey found that overconfidence is pervasive amongst security professionals and organizations in thinking they have things handled. This kind of thinking is concerning given the recent rise in targeted, financially motivated attacks.

• May 2009 – Heartland Payment Systems reported a security breach that cost the company about $12.6 million, including legal costs and fines from MasterCard and Visa, which directly contributed to a $2.5 million loss for the affected quarter
• December 23, 2008 – RBS Worldpay, a subsidiary of Citizens Financial Group Inc., said a breach of its payment systems may have affected more than 1.5 million people
• March 2008 – Hannaford Brothers Co. disclosed that a breach of its payment systems, also aided by malicious software, compromised at least 4.2 million credit and debit card accounts

Social Engineering and Password Crackers

The E-Crime Watch Survey revealed that the use of social engineering techniques jumped to the number one method of committing e-crimes. This includes manipulation of a person or persons who can permit or facilitate access to a system or data.

Another change revealed that organizations with insiders using sophisticated technologies like password crackers or sniffers jumped from 17 percent to 31 percent. The evidence shows that while 57 percent of participants said they are increasingly concerned about the potential effects, a large number have trimmed IT spending by 5 percent and corporate security by 15 percent.

How You Can Protect Your Business

With the average cost of a security breach estimated at $6.6 million (ranging from $613,000 to $32 million), it pays to have a baseline of the environment, utilize IT security policies and stay up-to-date on trends. Focus on areas that pose the highest threat to your environment.

A recent article by CompTIA (Computing Technology Industry Association) says, “To address evolving threats, support mechanisms such as disaster recovery plans, dedicated security teams, security trainings and formal policies for responding to incidents have been adopted by many firms. These are supplemented by preventive technologies, such as firewalls and antivirus software used in combination. A growing number of U.S. firms are using other technologies, including intrusion detection systems, physical access control and multi-factor authentication.”

CompTIA’s survey of 1,000 IT professionals revealed their top security threats.  Which of these threats are relevant to your organization? What initiatives are you planning to address network security?