Small businesses must become more aware that they are the potential victims of cybercrime, former White House security adviser Howard Schmidt has urged.
Speaking at an IT security event at London's House of Lords on Monday, Schmidt said all businesses are at risk through a lack of proper configuration of security equipment, or through not taking proper security precautions.
"SMBs (small and midsized businesses) are not aware of being a potential victim--spending 40 pounds (US$76) per year on antivirus is not a high priority," he said at the event, organized by managed services specialist Claranet. "SMBs have to realize that just because they are small, it doesn't mean they won't be targeted. Bad guys target wherever they can get money."
Ninety percent of small businesses and consumers install antivirus, but 10 percent never update the software's signatures, which are matched against suspected threats, Schmidt said. Small businesses with limited staffing resources simply do not have time to devote to cybersecurity issues, he said.
In addition to keeping a lookout for malicious software, organizations need to be aware of important data leaving the company, often through human error. Employees using file-sharing networks are often unaware of the security implications, Schmidt said.
"Individuals working on peer-to-peer networks often don't realize they're sharing the whole contents of their drive. You can find Homeland Security vulnerability assessment documents online from employees (using P2P)."
However, Schmidt said that SMBs will eventually start using managed software security services, with third-party providers managing both low-cost application level security and end-point hardware.
"Eventually, we'll move to a model of software as a service, with a low-cost environment of managed security services," he said.
However, application software should have security built in from the beginning, said Schmidt, who added that he looks forward to a time when software will be able to configure automatically to a user's system and detect attempted security breaches.
"I don't think the end user should protect themselves. It's like safety in new cars--built in. They want automatically self-healing and self-configuring software," said Schmidt.
Small businesses must take security into account in their planning and decide whether to outsource security, invest in training or allocate more resources. "Training is important, because we don't know what we don't know," Schmidt said.
If a small enterprise does have a full-time IT manager, that manager should become familiar with security standards such as ISO 17799, he said. "IT managers need to follow best practices--they should know what security applies to which devices. The trouble is, many times they're far too busy," Schmidt noted.
Charlie McMurdie, a detective chief inspector in the computer crime unit of the Metropolitan Police in London, said that "SME security is disjointed at the moment."
McMurdie said that computer security should follow common-sense procedures. "If you had a house, what traditional measures would you have around the premises? Who has a key? People need to apply the same common sense to Internet security. Stand back and look at who has access, who has a password."
Schmidt is on the board of directors for Fortify, which sells source code analysis tools.
Play video
ItÂ’s about education and awareness on all fronts. Operating in a company structure where few carry the burden of threats on multiple fronts is a challenge. A challenge for those in IT to Support staff; the ramifications of hackers, lost client information and leaked intellectual property can be daunting to the SME.
I think education is key and letting your non-tech staff know in basic terms what the threats are, what good usage of company machines and software is, and how data leaving the organization can affect everyone www.essentialsecurity.com...
Posted by Marilee Veniegas, Essential Security Software on Thursday, November 23 2006 02:54 AM