News Column

Securing your assets

August 14, 2014



The biggest IT security threats facing SMEs in the Middle East do not come from the myriad of viruses and cyber-nasty's floating around the internet, but rather from companies' very own employees. A simple mistake, such as picking up a dropped USB stick and plugging it into a company computer can bring down the entire company, threaten its partners and destroy its reputation in the marketplace.

Unlike large organisations, SMEs have smaller IT budgets and therefore invest less on internal resources. Because of this lack of employee training, internal threats remain a big factor for these organisations.

"Whether intentional or not, employees are the biggest threat [to company security] because they lose data, either through the loss of PCs, smart phones or other items, or by clicking on phishing links. If an SME is in high-risk vertical such as oil and gas, then they are at just as much risk as some large enterprises. When Anonymous launched Operation Petrol, they did not discriminate between large and small petroleum companies. They went after them all," said Eric Paulak - managing VP, conference chair Gartner Security & Risk Management Summit.

It is not uncommon for employees to use USB drives, transfer corporate data via personal email accounts, utilise public cloud storage services and even access the company network from their personal mobile devices. Each of these opens up a host of attack vectors, according to Help AG.

"The biggest issue for any organisation today, small or big is around social engineering and controlling user behaviour. In our work with our customers, we see that a lot of the issues faced are around users opening attachments, downloading executables or clicking malicious links which causes some form of infection, such as a virus, malware, ransom ware or spyware. All of these can impact the ability to conduct business or can cause loss of confidential data," said Nicolai Solling, Director of Technology Services at Help AG.

Social media, phishing and spear- phishing are also major threats. Through these channels, employees can be tricked into visiting untrustworthy websites and triggering malicious downloads.

SME's have a specific challenge as the type of the business that they do may require them to invest into advanced security technology and solutions. However the size and scale of the business may not be able to support this.

"Any SME needs to understand that they are as much a target as anyone else. With the recent Target attack, it was actually an SME subcontractor of Target who unknowingly aided an attack and a data breach through the placement of malware in the Target infrastructure. This caused Target to expose information on 70 million payment cards and later meant the CEO had to resign," said Solling.

Most SMEs also face threats due to malware taking advantage of vulnerabilities within their networks that have not been patched, followed by lack of data privacy and protection mandates, and a lack of availability of advanced security solutions.

"Increasingly, mobility adds to the challenge as well. SME businesses are as impacted by downtime and information loss as a large organisation should invest in security solutions and policies that can avert such incidents," stated Megha Kumar, Research Manager - Software, IDC MEA.

HOW TO SECURE YOUR ASSETS

With small IT security budgets and few, or no IT staff, for an SME to ensure that its assets are safe from attack is nearly impossible. According to Eric Paulak, managing VP, and conference chair at Gartner Security & Risk Management Summit. SMEs cannot fight cyber-attacks on their own."SMEs need help. Large enterprises need help too, but not to the extent that SMEs do. This means partnering with a strong security services company that can help assess current weaknesses and can help remediate any issues after an attack," said Paulak.

According to Pradeesh VS, General Manager at ESET Middle East, the first mistake SMEs make is not to have enough budget allocated specifically to IT security.

"Organisations should understand their priorities. With the amount of cyber-crime and targeted attackers that organisations face today, if they don't have the right mechanism in place, it could well mean significant losses for the business, or at least an impact to the brand which will indirectly result in financial losses," he said.

Small IT budgets, or an incorrect budget allocation is indeed a challenge to adequately securing assets, as the technology required may be more expensive than the business can support.

"Looking into managed security services may be an option, which proves to be cost effective and can bridge the knowledge gap. In many organisations, SMEs as well as enterprises, key aspects of IT security operations such as monitoring of events is still greatly ignored, specifically outside of business hours. Maybe it is time that we all understand that the attackers do not sleep or take time off just because we do. Again engaging with the correct trustworthy third party organisation to take care of this may be the correct decision to take," explained Solling.

Managed security services, such as those utilising cloud services are an attractive option for SMEs for a number of reasons. First off, it eliminates high upfront CAPEX with manageable OPEX.

There is no worry of continued upgrade and refresh cycles either and at the same time, they can avail of security solutions which would have otherwise been out of budget. Cloud services also address the shortage of skills allowing precious IT resources to be allocated to more pressing issues that align with driving business productivity.

"There are however concerns relating to the cloud that SMEs need to address first. The most important is privacy. After the NSA scandal broke, this became a major concern. When trusting sensitive data with a third party provider, it is important to understand how the data will be stored and who will have access to it. For example, data stored in the USA is subject to the Patriot Act which means that if required by law for national security purposes, the cloud provider would have to share sensitive information with the government. Opting for a service that stores data within the organisation's country of operation is therefore a necessary criteria for selection," said Solling.

It is also important to ask the cloud provider how the data will be segregated. If it co-mingles with other customers' data, a vulnerability to one customer environment can pose a threat to many others as well. Encryption, both during storage and transfer, should also be done and the provider's policies relating to monitoring, reporting and mitigating security breaches should be evaluated thoroughly.

At some point in time, everyone will have to use some cloud services, according to Gartner. Some cloud services should be used today. For example, if an SME invests heavily in distributed denial of service (DDoS) attacks where the attack is designed to overwhelm the SME with traffic directed at web site, the SME will fail because if it waits to stop an attack until it is at the front door, the SME will not have the bandwidth to stop the attack and legitimate business traffic will not get through. "The most effective way to stop DDoS attacks is to work with a service provider to detect the attacks while they are still in the internet infrastructure and try to block or reroute traffic before it gets close to the SMEs infrastructure. As far as other cloud security services, it really doesn't matter where the tools are.

What matters are the policies, people and tools the service provider has. If they don't follow the same industry standards in the cloud, they certainly won't do it on a customer's site. So, SMEs must fully evaluate the vendor with a strong emphasis on references in the region that you can talk to," stated Paulak.

Kumar believes that managing security services in the cloud is a very useful tool for SMEs to add to their IT security arsenal, particularly for security around an endpoint, such as web and email.

THE MOBILE WORKPLACE THREAT

Bring your own device (BYOD) is something that is inevitable given the high penetration of mobile devices in the Middle East. For its ability to improve productivity, collaboration and overall employee satisfaction, BYOD is an attractive proposition for businesses of all sizes. However, SMEs should be wary of rushing implementations as they tend to do so while focusing only on cutting costs and enabling innovation, according to Help AG.

The good news for SMEs is that today there are tools that can help IT departments implement BYOD in a safe and manageable manner. When evaluating such solutions the basic features required are the ability to monitor and control network access though security profiles, pushing of applications and updates, and remote wipe devices (in case of theft or loss).

"The challenge may be to get employees on board with the company's policies though. Since the device is no longer owned by the organisation, there are restrictions upon the level of control that can be exerted," said Solling.

The biggest risk today with tablets and smart phones is a loss of data. Therefore, the first step that SMEs need to take is to ensure that company data on that device is secure. That means that SMEs need to look at ways to secure that data through encryption or not allowing the data to be saved on those devices. Since the latter solution would require that those devices be connected at all times, encryption is the best solution, according to Gartner. This can be accomplished through using any number of end point protection or mobile device management tools that are available.

"Over time, however, that mobile end point could be just as dangerous as any laptop is today. Over 95 per cent of current malware in the mobile world comes from Android devices. Windows- based devices will become increasingly under attack and even Apple devices will start to see some holes. So, in the mid- term, SMEs need to start treating smart phones and tablets like any computing endpoint and look to securing them with mobile anti-virus, personal firewalls and vulnerability assessment tools just like they do a PC," explained Paulak.

Companies also need to have a clearly defined BYOD strategy and have some kind of management on employees' mobile devices through an EMM (Enterprise Mobility Management) solution.

EMPLOYEE TRAINING

The level of security maturity in Middle Eastern SMEs is behind what it is in Western Europe and North America, according to Gartner. The number one reason for this is lack of formal security education programmes for employees. This means that the most common types of attacks in the region deal with social engineering, which means that individuals are tricked into revealing information that allows attackers to get in.

"If employees were simply aware that they should not click on unknown links, this would solve most phishing attacks," said Paulak.

Stopping most attacks on SMEs boils down to effective employee training. Whenever an employee is hired, they should go through training on how to behave on the corporate IT network and be given ground rules that, if breached will result in disciplinary action. Until these types of steps are in place across SMEs, companies in the region will continue to see their reputations destroyed by a click of a mouse.

Eric Paulak from Gartner said that SMEs really do need outside help with their IT security.

Nicolai Solling from Help AG said companies need to understand that cyber attackers do not work nine to five.

Pradeesh VS from ESET said the first mistake SMEs make is to not have the correct budget allocation for IT security.



The biggest issue for any organisation today, small or big is around social engineering and controlling user behavior

Nicolai Solling, Director of Technology Services at Help AG



BIGGEST IT SECURITY THREATS TO SMES IN THE MIDDLE EAST

??Lack of awareness for employees

??Internal threats and malicious users

??Lack of skills and poor configuration of organisation systems

?Cybercrime and hackers

Source: ESET

TOP FIVE TIPS TO SECURING AN SME

1. Start with the basics: ensure that you have the perimeter in place with firewalls, intrusion prevention solutions and vulnerability assessment tools.

2. Make sure your patches are up to date. 90 per cent of attacks could have been prevented with regular patch updates.

3. Educate your employees. They truly are either your greatest assets or your weakest link.

4. Don't forget to plan for being hit. There is no doubt. Everyone will be hit. So, there must be a plan in place to decide what to do during the attack and after it is done. You must learn your lessons to grow.

5. Don't do this alone. If you wait for a DDoS attack to hit your firewalls, it's too late. You will lose. Look to partner with a service provider.

Source: Gartner


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: financeME


Story Tools






HispanicBusiness.com Facebook Linkedin Twitter RSS Feed Email Alerts & Newsletters