If you’re a small business in the big, bad world, you should be more worried about your security than anyone else
At the end of 2007, a Websense State of Security survey stated that small business and SoHo owners are rather confident of the state of their security. The survey also stated that they had no reason to be. Despite more than 95 per cent claiming that they have installed antivirus and antispyware programs, more than 70 per cent of the businesses surveyed didn’t use measures to block peer-to-peer (P2P) software, instant messaging (IM) or USB Flash drives—the new wave in security breaches. And the bad news doesn’t end there, either.
“[SoHos and small businesses] are prime targets for attackers, as enterprises are hard to break thanks to mature security implementations. With growing penetration of broadband and the introduction of WiMAX and 3G services—especially for SMBs—it is a matter of concern that awareness of security is very still limited,” Mahendra Lalwani, Country Manager, ZyXEL, tells us. It doesn’t end at just installing security software.
What You’re Up Against
These are new times, and if you’re setting up a new business, you don’t even need a physical office! With online office suites and collaboration tools in this new broad(ish)band-enabled country, there’s nothing stopping you building a team that’s spread across the country. But we digress.
Solution vendors are moving from product sales to annual subscriptions to reduce the total cost of ownership of their solution”
Sunil Chandna,CEO, Stellar Information Systems
One side effect of the distributed office is that laptops and smartphones are a common sight, and the amount of work-related data you could find on them is shocking. What’s worse, this (potentially sensitive) information is easily accessible once you get your hands on them. The loss or theft of your device can lead to a lot of trouble for your company—according to a McClatchy-Tribune study, around 57 per cent of corporate crime starts at a stolen laptop. You may not necessarily have to deal with a crime in such a case, but there will be the palpable embarrassment to come to terms with, at least.
And then, there’s the common oversight that Sunil Chandna, CEO, Stellar Information Systems points out: “Small businesses have data distributed across desktops, laptops and servers—this increases their risk. Usually, data created by server applications is backed up, but the desktop / laptop data is left unattended.”
Then, of course, there’s the threat to your network. The Internet and e-mail continue to be the biggest threats—more importantly, it’s the way employees use them that matters. In Websense’s 2007 State of Security India survey, 35 per cent of the IT managers surveyed believed that employees were a great threat to security—sending work-related documents to personal accounts, clicking links that come from unknown sources and so on. Thirty per cent of the professionals surveyed admitted that they surfed aimlessly—no wonder IT managers worry so much. Not very encouraging, is it?
What You Need
To address the threat to your networks, Lalwani recommends a “multi-layer” defence—at your Internet gateway, on your servers and on every client. “Spam can be addressed with a good server-level filtering mechanism which should be supplemented by gateway-level filtering,” he says, “and the defence you design should address all applications used in the organisation, including IM, P2P, VoIP and other wireless systems.
To protect your data from untoward incidents like hard disk crashes, accidental deletion and the like, you need an automated backup solution installed on all your clients and servers. The data on your laptops and smartphones should be backed up to a secure location on your network both before they’re taken out of the office and after they’re returned.
If these are company-owned laptops, you should also be able to manage them remotely—disable their USB ports and / or DVD writers and so on. To secure laptops from theft, you first need to raise a physical barrier—laptop locks can prevent access to your laptop without a key or combination. You also need a way to track the laptop on the Web, and in the event of a theft, even help recover it.
| TLAs |
| In your quest for a security solution, you’re bound to encounter and obscene number of three-letter acronyms (TLAs)—we know we did. To ease the pain, here are some: VAR: Value-added Reseller. These are software resellers who will also offer you support and added services for the products you buy. SOC: Security Operations Centre. If you’ve opted for managed security, the Security Operations Centre is where your network will be monitored from. SOCs may operate during regular office hours, but you can pay extra for 24-hour service as well. CPE: Customer Premises Equipment. This is the opposite of the SOC. Instead of a third party providing you with a security solution, you do it yourself with your own equipment, in your own premises. UTM: Unified Threat Management. This is the term given to firewalls (usually hardware) that have a bunch of features built into them—spam filters, intrusion detection and so on. NSA: Network Storage Appliance. A fancy term for a Network Attached Storage (NAS) box. These are locations on your network meant specifically for backing up important data. |
What Everyone’s Doing
Lalwani tells us what one of his sales executives encountered once—“He had approached the R & D unit of a large business group. It was a small network of around sixty users. A scientist is in charge of the IT setup, and the Accounts Manager acts as the System Administrator.”
Few (if any) small businesses have a dedicated IT staff, so this is usually the case—people adding IT administration to their regular jobs. To get this load off their employees, small businesses all over the country are moving towards managed security solutions—in other words, outsourcing. Security software will be deployed on your network, and administered from a Security Operations Centre (SOC), from where your network is monitored for any suspicious activity.
Security software vendors themselves are waking up to the needs of the small business and have begun to offer solutions that specifically target your needs, and more importantly, aren’t dauntingly expensive. You can purchase software licenses for groups as small as three people—a welcome change from the times when business licenses were for a minimum of 25 people and cost a bomb. Their approach has changed, too—instead of selling you the product once and forgetting about it, they now offer you yearly maintenance contracts—in the long run, this can save you a lot of money.
A lot of software vendors have a well-established presence in India, and Indian software developers have started to build their own solutions too. For the international vendors that don’t have Indian offices, there are several franchisees that provide sales and support.
Securing The Network
Let’s consider the multi-layer defence we spoke of earlier—the first layer is the Internet gateway. Your gateway stands between your network and the Internet, so securing this level makes securing the rest much easier. Instead of just a router, you could invest in an Internet Security Appliance (ISA)—which is, simply put, a router with security measures like a firewall, access rights and an anti-virus built in. Prices start at Rs 10,000, and depending on how much you’re willing to shell out, you can even get access control to IM and P2P applications. You can get one of these from ZyXEL, Trend Micro and Cyberoam, among others.
To secure your servers and clients, you’re better off with a managed security solution. You could either approach larger vendors like Sify, or strike up a deal with your local software reseller—some will install and maintain security software for you. The latter will likely come cheaper, and more importantly, will work better for you if you’re in a small town. As for the software itself, take your pick—Norton, McAfee, Trend Micro, BitDefender, QuickHeal—anyone you want. Of late, both Trend Micro and BitDefender (through Unistal, an Indian security software vendor) have taken an active interest in the Indian small business, so you might find the features and prices more to your liking.
Securing Your Data
This one’s really a no-brainer, but is unfortunately easily ignored. Backing up data can be as simple as setting up an automatic backup with Windows’ own backup tool. While this is easy for one or two PCs, for many clients, you’d want to ensure that data being backed up regularly, and that you can trigger a backup whenever you wish. These solutions have something of a management console that runs on a server and keeps track of the clients on your network and the files and folders on them that need to be backed up regularly, and a client service that runs on each desktop or laptop that’s on your network. Bacula is an open source backup solution that runs on a Linux- or Unix-based server and Windows or BSD-based clients—perfect for businesses on a tight budget. To make sure that your backup is safe, you can use software like Stellar Smart, which monitors your hard disk’s performance and warns you if a crash is imminent—you can then take your backed-up data to a new location before the crash occurs.
Many backup software vendors also offer software that’ll recover your data in the event of a crash or corruption—both Stellar and Unistal have impressive tools to recover data from corrupt hard disks, damaged Outlook PST files, Word files and many more.
If you have the bandwidth, you could consider using an online backup service like JungleDisk (www.jungledisk.com) or BingoDisk (www.bingodisk.com). Both offer high levels of security and redundancy—something that would cost you an exorbitant amount to implement in your own office—and are priced rather reasonably too. One thing we like about JungleDisk is that you only pay for what you store—$0.15 (Rs 6) per GB—but for larger amounts of data, BingoDisk might work out cheaper. You can visit JungleDisk to calculate your expenses based on how much storage you require and how much data you’ll be uploading every month.
Finally, secure your laptops. Unistal offers a tool called Locate Laptop, which runs stealthily on your laptop and reports its IP address to a personal tracking page only you have access to. If your laptop is stolen, law enforcement officers can use this IP address to track it every time the thief uses it to connect to the Internet. At Rs 3,000, it’s a welcome addition to any laptop.
The Real Secret
While installing a lot of security software can give you peace of mind, there is one flaw in our reasoning—your team. Even though IT managers believe that employees are a huge threat to your data, they also admit that it’s the employees, and not the software, that are the key to keeping your data safe. No software can compete against educating your employees about your security policies and brainwas…er…inculcating the habit of following them. If employees are aware of the damage that your company’s reputation could take in the event of a security breach, they’d probably pay more attention to what they’re doing online.
It’s a tall order, but in the long run, it’ll save you money, and more importantly, will give you the time to catch up on your FreeCell skills.