IT security framework for SMBs

SMBs are not only increasingly dependent on IT – they are dependent on increasingly-interconnected systems, which are in turn open to an ever-expanding population of devices and access points. The volumes and value of data contained in these systems continues to grow, which both increases the potential damage associated with a breach, and attracts heightened attention from hackers. Techaisle’s SMB survey data finds a disconnect between security policy and security practice that creates the potential for poorly-coordinated approaches to security – an uncertainty that is magnified by shadow IT.

In Techaisle’s latest survey of SMBs, only 13% said that they were fully prepared and confident to handle security challenges, especially mobility security. The remaining 87% were partially prepared, unprepared or unsure. These are very sobering statistics.

Techaisle’s SMB Shadow IT survey data shows that over 70 percent of applications and nearly 60 percent of IT infrastructure related spend and decision authority lies outside of IT. These expenditures are made without the IT department’s approval, guidance, or in some cases, even without IT’s knowledge. 

Security is becoming a more critical component of business rather than IT strategy.

SMB IT security managers should petition for senior executive support which will help to build an approach that safeguards the organizations, users and data, in a framework that is flexible enough to respond to emerging opportunities and threats.

SMB Mobility increases threat perimeter

The problem with mobility (like cloud) is that it changes the concept of “perimeter.” Intruders don’t need to batter through closely-guarded walls to gain access to the interior of the network; they can ride through a permeable configuration on the backs of mobile devices that have been granted access to the precious applications and data that live in the interior of the organization. It is as if the castle walls and drawbridge were replaced by windows and breezeways offering access to visitors arriving from all directions.

With mobility, the SMB user community becomes a ubiquitous and shifting source of portals through the perimeter. As a result, IT doesn’t need to only defend against recognized foes: it needs to protect the corporation from breaches that can result from the actions of its own workers, and needs to protect the same data that it delivers as an essential component of support for the mobile workforce – the workforce that is viewed by senior management as making compelling contributions to the top and bottom-line success of the business.

SMBs should consider a four-layer security framework model for deployment:

1. Secure the perimeter. This involves protecting the network and its devices against hacks, intrusions and malware. Firewalls that protect in-transit data are a key secure perimeter technology, and today’s next-generation firewalls include intrusion prevention, anti-malware, application control and SSL encrypted traffic inspection in addition to basic firewall capabilities.
2. Secure at-rest data. The second critical component in the four-layer model is security for at-rest data. The most important element at this layer is encryption technology. Data loss prevention (DLP) technology that prevents leakage of data resident on mobile devices is an extension of at-rest data security. Another key “to do” in this category involves separating data into discrete domains, so that hackers accessing one part of a network do not automatically gain access to all network-resident information. This step may well require IT and business to work together to identify and classify different pools of information, which can be assigned varying levels of security and isolation depending on their importance.
3. Take steps to protect against employee vulnerabilities. Most security technologies are designed to protect against external threats – but, employees can also be the source of substantial data breaches. Effective access policies (and enforcement of those policies), training and regular awareness campaigns can help protect against inadvertent data leakage. Malfeasance can be more difficult to protect against, though new analytics tools can help highlight patterns that might indicate malicious activities. As per Techaisle’ study slightly less than 50% of SMB executives say that use neglect/irresponsibility is one of the big mobility security threats. However, less than 10% are guarding themselves against such threats.
4. Apply intelligence in the security process. Hackers actively distribute exploits and information on vulnerabilities, and as a result, the nature of threats continues to evolve. However, there is active information sharing amongst the white hats as well. Security-responsible managers can subscribe to services that provide up-to-the-minute intelligence on emerging threats. This kind of insight allows IT managers to align defenses with highest-priority issues – as long as the overall framework is flexible enough to allow extensions from the “minimally essential core” to areas of immediate and specific need.

There is one additional, critical consideration that IT managers must overlay on this four-layer framework: the need to integrate within and across the layers. A hardened perimeter is only as hard as its softest point; to be effective; the “shields” need to connect/overlap in ways that do not leave vulnerabilities that hackers can exploit. Similarly, data that is tagged as high-priority for encryption needs to be protected on one side from poorly-secured endpoint devices and on the other from employee mistakes or malfeasance.