Security: what you don’t know will hurt you
By Staff
November 20, 2011
November 20, 2011
“It’s getting to the point where most SMBs have a false sense of security,” he says. “But if you don’t take the necessary precautions to secure your network then it’s not a question of if you’ve been breached, but when you will be.”
Knowledge and expert help can deflect cyber-threats, and LaPalme shares four crucial issues you should know in order to fight the good fight:
1. Don’t be low-hanging fruit.
You might be a small business, but cybercrime is big business. It’s growing and well organized. News of attacks on huge companies like Sony or Google, which make substantial security investment, only illustrate the capabilities of today’s hacker. If a business is online and stores customer information, financial data, or even access to a partner that does, it can be a lucrative target. Cybercriminals methodically test to find weak links; if the reward for breaching an SMB’s defenses is higher than the risk and challenge posed it becomes an easy target.
2. An ounce of prevention is worth a pound of cure.
Often businesses learn of a security vulnerability only once it is exploited. Worse, today’s hackers are focused on hiding—sitting insidiously on the network to continually reap ill-gotten gains. Securing a network before becoming compromised is considerably less expensive than securing it later, rebuilding reputations and paying fines or lawsuits. Such costs can force an SMB to close its doors, and no one wants to be the poster child for bad security.
3. New technology, new risks.
New technology options, like social networking, introduce new attack vectors for cyber-threats. Criminals can use social networks to learn key facts about individuals for con artist-like social engineering in order to gain greater access. In addition, those pesky social network applications create a new window for possible malicious access into the network. Employees can also accidentally share information that competitors, the public and, worse, criminals might ordinarily not have access to.
The BYOD (bring your own device) trend being embraced by many businesses can certainly provide some advantages in terms of cost saving, allowing employees to use their own (or company-subsidized) smartphones, tablets and laptops. Still, they increase the “surface area” from which cyber-criminals can attack, and many existing security solutions don’t protect new devices. Performing double duty as personal devices, it’s a challenge to enforce corporate security policies and they may have multiple users—all important considerations before using an employee’s iPad for business.
4. Mind your Ps – Good security isn’t just about having technology in place.
Good security is a three-legged stool balanced on people, processes and technology. Employees must be trained to act correctly and safely, and policies must be in place to reinforce the actions that comply with the company’s security needs, compliance requirements and customer expectations. Take away any one of these and everything collapses.
Defending against these different “attack vectors” is a daunting task for even the largest businesses. Monitoring security 24 by 7 by 365, as needed today, requires a minimum staff of five hard-to-come-by security experts, and many SMBs have only one IT resource managing everything. An answer to this problem is reaching out to a managed security service provider (MSSP) for help, notes LaPalme. Industry analysts have recently recognized the valuable role of MSSPs and Allstream’s position as a leader, which LaPalme says comes from the expertise Allstream has developed over decades of securing its own extensive communications network and those of its customers.
For more information, visit www.allstream.com PDF (800KB)
Tying down the cloud
Cloud computing offers numerous benefits but it also comes with a fair share of confusion, and that can lead to misunderstandings and security risks.
While the cloud can bring a business agility, scalability, cost savings and location independence, businesses of all sizes need to be aware of what cloud computing—as well as data center hosting—means to them in terms of risk and liability, says Tyson Macaulay, security liaison officer at Bell Canada.
Macaulay develops security programs with Bell’s largest multinational players, but says small- and mid-sized businesses can be particularly unfamiliar with some of the security demands a migration to cloud computing places on them. “Because of limited resources, small businesses often can’t afford in-house experts who can properly assess their cloud service provider’s security capabilities,” he says. In fact, even large enterprises will frequently turn to an expert service provider to more efficiently and cost-effectively audit their security posture on an ongoing basis to bring attention to emerging threats.
And that assessment can be the key to effective security for their business. It is not just an assessment of the cloud and hosting service provider’s infrastructure, but also those of the network connections to that provider in order to ensure all are dependable and secure. Larger enterprises may have expert resources that can perform such an audit, but many businesses will instead need to look to service providers with third-party certification. Providing both cloud and hosting services, as well as the network connection, Macaulay says Bell has its network certified to the Statement on Auditing Standards No. 70 (SAS70) standard. And although there is not yet a formal standard for cloud service certification, the company is a contributor to the ISO-27017 initiative, to ensure a high-level of compliance with that emerging standard.
Responsibility is another area that trips up many companies big and small. When moving applications to the cloud or a hosting provider, who bears the brunt of responsibility around security? That can be a tricky thing, and Macaulay suggests ensuring clear and open communications with service providers to know where the buck stops. Gaps can occur through misunderstandings between businesses, their cloud service providers, hosting providers and the network providers—that is, if they are different providers. Macaulay points to the advantage of having the service provider and network provider under one roof, like Bell offers, but stresses that clients need to be sure they and their service providers are discussing accountability issues. If they are not, or worse don’t intend to, it might be time to shop around.
Businesses moving to the cloud must also understand their compliance requirements. For example, due to concerns around privacy compliance, many businesses seek a cloud or hosting provider that can ensure their information stays within data centers in Canada and are therefore not subject to foreign legislation. Do you know where your data is stored? If data is replicated on servers around the world, instead of a few across the country, the business’ corporate or customer information might be at the whim of the policy changes of foreign governments, Macaulay notes.
Ultimately, training and awareness are the biggest bangs for the buck as it relates to security over the cloud, or with hosting services. “As a service provider, the best thing I can do to help Bell’s customers is provide effective training when they adopt a service, rather than make assumptions,” Macaulay says. At the same time, he urges businesses to make no assumptions with regard to their cloud service providers, and validate what they believe. “All too often businesses find out their assumptions were wrong and it’s a source of unhappiness with their service providers. Validation eliminates finger pointing between various providers and customers.”
Tips for cloud security
- Independently audit the cloud provider or require third-party certification
- Understand the relationship between network provider and cloud or hosting provider
- Communicate expectations; know who is responsible for security element.
- Know your business’s compliance needs; consider, for example, if there are concerns with hosting data outside Canada
- Know the impact of different cloud models on your business security; each carry different security responsibilities
- Validate your assumptions with your providers. You might find your service provider doesn’t support your assumptions
For more information visit www.bell.ca/cloud PDF (400KB)
