23/10/2014

By Patrick Bedwell, a VP at AlienVault


Following a multitude of breaches publicised by the media, ‘data security’ is a concept that is gaining significance. Yet, it mostly remains an afterthought for many SMBs who are often too complacent, thinking "it won’t happen to me.” After a data loss, it may be the larger companies who are publically scrutinised, but all attacks come at a cost that even smaller businesses must face.

Most SMBs know of the potential for data loss but a lack of information means many are not too worried of the risk they’re vulnerable to. SMBs face many challenges; insight into what systems are on their network, what data they are storing, and what vulnerabilities exist for hackers to exploit. Too often we hear of data being exfiltrated because of one or more of the following reasons:

- The system from which the data was stolen was unknown to the IT team
- The IT team doesn’t know what data was stored on the system
- There were unpatched/unknown vulnerabilities on the compromised systems that were unknown to the IT team.

The primary step to data protection is awareness, and fortunately there are solutions intended for smaller IT teams, that can provide integrated asset discovery, asset inventory, and vulnerability assessment. SMBs can take steps to extend their security posture once they know the type of information they’re storing and where.

Information is the heart of SMBs and as such we shouldn’t limit what they are able to collect or store. Better analytics facilitates SMBs to compete evenly with larger counterparts. In retail, for example, the use of analytics that mine buyer behaviour data along with social marketing have permitted small organisations to increase traction and build loyalty with customers, in ways that were only available to large businesses until recently.

Specifically designed solutions exist to put indispensable security capabilities and integrated threat intelligence into the hands of smaller IT teams. These solutions are simple and easier to implement and handle than many of the legacy security management solutions used by large businesses, giving SMBs the chance to defend their data.
In terms of standardising this protection, the PCI DSS is a global data security standard that has targeted SMBs with awareness campaigns for several years.

However, as previously noted, many SMBs lack adequate security expertise to comprehend all of the regulations and policies. They need to make the most of security tools that offer regulation-specific compliance reports and remediation advice specifically for SMBs to better understand where they are out of compliance. These tools help by automating much of the discovery and analysis/reporting components that normally require thorough knowledge of the regulations.

Generally speaking, most SMBs unfortunately cannot afford to organise numerous layers of protection. Whether it is the more advanced threat prevention technologies recently on the market or technologies that have been around for a long time, SMBs often cannot validate the expenses necessary to uphold these often-complex security point products. Attackers know of resource imitations, and therefore regularly target SMBs either to steal inadequately protected information or as a way of gaining illicit access to networks.

How businesses can protect themselves from fines and prosecution

In the last few years, the industry has transferred focus to ‘detection and remediation’ from ‘prevention’ technologies. This shift resulted from a general recognition of the reality that a determined hacker with patience can normally find a way to compromise any network. Preventive tools have by and large failed to prevent breaches, and organisations must have the ability to detect and respond to any breach quickly.

When the British Pregnancy Advice Service suffered a major breach, it carried the consequence of it having to pay a £200,000 fine. In this case, the BPAS wasn’t aware that its website was storing the personal information of people who had contacted the organisation. The data wasn’t stored securely and a vulnerability in the web server made it possible for the system to be compromised and personal data extrapolated.

Asset discovery and vulnerability assessment technologies would help impede the storing of regulated data and the use of vulnerable systems without the IT team’s knowledge. Coupling those security controls with threat detection and behavioural analysis would offer alerts to malicious traffic that is directly targeting a vulnerable system storing regulated data, as well as show unusual network behaviour.

Though previously available to only large IT organisations, there are platforms which are purpose-built for SMBs to be able to handle all of these indispensable capabilities with one console, and to provide a unified view of assets, vulnerabilities, threats and behaviours. Security needn't be a headache for organisations, even smaller businesses, who might not make headlines if they suffer a breach, but will still be subjected to the same consequences as larger organisations.