A group of security experts on Wednesday offered their thoughts on what SMBs need to focus on when coming up with a coherent IT security plan.
One of several seminars being featured during Ziff Davis Internets SMB (small and midsize business) Solutions Virtual Tradeshow, a hot-button virtual panel titled “Security Priorities: Getting the Most Protection for Your Dollar” featured three presenters.
Each presenter examined different aspects of the SMB security issue, along with polls and a question-and-answer interactive box for participants to type in questions relating to the topic.
The first speaker, Michael Grieves, consulting partner for channel strategies firm Core Strategies and director of research of the MIS department at the University of Arizona, said that because smaller businesses dont have the resources of their larger brethren, members of such organizations “have got to go look in the mirror” to find somebody to handle their security needs, adding that it is a fairly lonely proposition.
Grieves went on to present a set of what he called “realistic security steps” that SMBs can use to protect themselves and to sense and respond to incidences without needing the sorts of resources to which larger enterprises have access.
According to Grieves, these four steps are making IT security a priority; taking obvious steps such as keeping systems up-to-date and implementing virus protection; being paranoid about security; and developing an emergency plan of action before any emergencies arise.
In making security a priority, Grieves brought up strategies that are equally necessary in large enterprises.
He said that it is important to make employees understand that they need to notify the appropriate people if a glitch arises, because too often, non-technical people assume that they are at fault rather than the computer.
Also, decision makers must remind employees of this on a regular basis, or else risk having the cyber-equivalent of a smoke detector that doesnt work because no one bothered to test it.
In discussing his dictum that “only the paranoid survive,” Grieves said that incoming e-mail is by nature questionable e-mail and that people should make it a rule not to open attachments without first checking to see whether the attachment came from a reliable source and was expected.
Sensible Security Strategies for
John Norman, a systems engineer at Advanced Systems Group, followed Grieves presentation.
Norman, who focused on sensible security strategies for SMBs, said that perhaps the biggest problem SMBs face in developing a security strategy is one of prioritization.
To determine a businesss priorities, Norman recommended that SMB decision-makers identify the assets they need to protect, such as customer data, financial and banking information and employee records; identify from whom they need to protect such data, determining the source of major security threats; and set priorities for their strategies.
In determining these priorities, Norman noted that it may not be feasible to protect some of a companys assets and to weigh security costs against the time, money and convenience required.
SMBs may need to hire consultants to obtain expertise and outsource such services as regular audits and firewall maintenance, he said.
Meanwhile, Forrester Research analyst Paul Stamp discussed data his group has collected about the importance of security among SMBs.
According to Stamp, about 28 percent of North American SMBs spend between 2 percent and 4 percent of their budgets on IT security, while another 28 percent spent less than 2 percent.
In addition, about 12 percent of decision-makers for the SMBs Stamp surveyed “didnt know” how much their companies spent on security.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.