March 7, 2013

Six Ways to Protect SMEs

It’s becoming more common for small and medium sized businesses (SMEs) to become targets for hackers and data breaches. The reason for this is because large corporations have begun to take steps to protect themselves to the point that they are no longer likely to be a high payout for minimal effort. SMEs are becoming more susceptible not because they have changed, but because large enterprises are becoming less attractive. It’s simply not feasible for SMEs to try and mount the same defense to make themselves less vulnerable. The cost to implement the best, most robust solutions are simply not cost effective for the assets that are to be protected.

What can SMEs Do Without The Same Budgets?

I’ve compiled a list of 6 things SMEs can do to protect themselves, without breaking the bank.

1. Improve User Awareness

The majority of large scale data breaches now are caused by some form of social engineering. Years ago these attacks were as simple as requesting a user’s password. A growing trend for many of these attacks is on phishing attacks that exploit the user’s systems through malware. Users should be trained to recognize these attacks and an appropriate response policy created. If users don’t click links within their email, the chances of a breach are decreased drastically.

2. Create Policies for User Termination

Many data breaches are caused by something as simple as a departing employee exfiltrating a client list before they go to work for a competitor. While there are several legal (and ethical) recourses available for remediation, it’s still best to stop the problem before the damage is done. IT managers should work with HR to create a procedure to be used when an employee will depart the company (voluntarily or otherwise). This policy should include instructions on keeping employment information confidential (it’s often a folly for IT administrators to accidentally notify someone that they will be fired). It should also include policies regarding access to company files leading up to departure. Access may be restricted during this time or at least closely monitored to ensure sensitive files don’t depart when the employee does.

3. Password Policies

Most SMEs are still using simple password protection for assets. Alternate solutions can be expensive to implement and maintain. If two factor authentication is not used, password policies should be enforced. An effective password policy will force new users to change their passwords at first logon. This prevents passwords from being compromised before first use and also protects against ineffective initial password schemes. Passwords schemes should have an expiration date; the length required between changes is dependent on balancing the need for protection with the number of requests from the helpdesk to reset forgotten ones. A history should be kept as well to prevent the password from being reused. Finally, passwords should be complex (8 characters or more, upper and lower case, numbers, and symbols) to prevent them from being too easily guessed or brute forced.

4. Use Encryption Whenever Possible

There’s minimal overhead to transition from an insecure protocol, such as HTTP to a secure alternative, such as HTTPS. Years ago, hubs were more common than switches and packet sniffing revealed passwords on a fairly consistent basis. Now, the prevalence of wireless networking has brought packet sniffing passwords back into prevalence. In most cases, having the pre-shared encryption key is all that is required for successful packet sniffing.

5. Patch Management

The simple act of keeping systems up to date negates the majority of vulnerabilities that are exploitable without a user allowing it to happen. Systems patches, as well as software patches, are crucial to avoiding the attention of hackers that are simply looking for low hanging fruit. Management should be informed of the necessities of patching so that outage windows are acceptable, or in the case that they aren’t, backup and redundant systems can be utilized.

6. Next-Gen Firewalls

As firewalls and routers reach their replacement age, consider replacing them with Next-gen firewall offerings. These appliances are not substantially more expensive than their predecessors when the options they allow are considered. It allows enterprises to begin utilizing several types of protection all at once that are normally more expensive because they encompass many different systems. This includes IPS, network malware protection, filtering based on username, deep packet inspection, and many others.