Additional Security Resources


Find Solutions for your business
For more information about Allstream's products & services, please click the link above.

Prevent security breaches before they happen
Download a free Executive Brief detailing how managed security services can protect your business

IT Security: Small Companies, Big Problems

By Tim Wilson
Special from ITworldcanada.com


Your business is small, but it may have big security problems – as big as those of the biggest businesses on the block.

As a small or medium-sized enterprise in Canada, your company’s information technology is constantly under attacked – day and night. It’s under siege by spyware, malware, viruses, and worms. Waiting for an opening are bogus fraudsters posing as financial institutions who are "phishing" for your financial information. Perhaps worse, your company is getting a bad reputation because of its inability to stem the IT security assault that’s creating problems for customers and employees. Not only is your business not able to effectively defend itself, the problem may be compounding by e-mail or Instant Messaging applications in use that let others turn your computers into their zombies for launching attacks on the unsuspecting, including your business’s customers.

Something must be done, but where to begin? Mike Murphy, the vice-president of Symantec Corporation of Canada, has a few ideas.

"Basically risk (is measured by) a threat assessment positioned against the value of vulnerable assets,” he says. The degree to which your business is exposed to risk is determined by identifying existing security threats, combined with a recognition of vulnerabilities or weaknesses in your business processes and IT systems, all factored against the value of your business assets.

Risk management involves protecting the latter part of that equation – the business assets. In terms of the security investment that may be needed to minimize risk, it’s something that can be calculated in a way similar to that of actuarial tables used in the insurance industry. A common problem, however, is that, although businesses are comfortable with insuring themselves against unlikely disastrous events such as fire and theft, companies often have little understanding of the importance and value of creating a secure IT infrastructure. But a business’s electronic data that is permanently corrupted can have the same impact as a set of important paper files destroyed by fire.

"Small businesses don't understand the value of information," says Murphy. That’s a great many companies, when you consider that 98 per cent of Canadian businesses have fewer than 100 employees. "If your business is customer-facing and if your brand needs protecting, then you'd better deal with (IT) security."

Jack Sebbag, the general manager of anti-virus software maker McAfee Inc. in Canada agrees. Sebbag claims most Canadian small businesses are not as prepared as counterparts south of the boarder.

"SMEs in Canada spend less than one-tenth of 1 per cent on security,” he claims, adding that many aren’t even aware of the security systems they have – those that came bundled with desktop systems they’ve already purchased.

Is a risk and vulnerability management report really required? Even a small company may benefit from the work of a security consultant. A risk assessment by an expert typically takes two to four days and costs between $2,500 and $5,000. There are also simple tools available to assist in the assessment. McAfee's Foundstone is among those products that can perform an asset inventory and produce a security policy and vulnerability report. There are others available.

Understanding vulnerabilities is key to recognizing risk, since one weak link can make an entire security strategy useless. Experts like Murphy and Sebbag suggest desktop systems are best protected with single managed products that include anti-virus, personal firewalls, as well as adware, spyware, and spam protection. Add to the mix hardware-based solutions such as Internet gateways and, if desired, move onto more advanced tools such as authentication and other tools for ensuring secure and authorized electronic communication. Beyond that a business also needs to consider its specific requirements and recognize its "risky" behavior. Is there remote access with multiple devices? Is the value of your organization’s assets measured differently? Be aware that vertical industries, like health care for example, are governed by laws that require patient records must be protected and kept confidential.

Outsourcing IT security might also be a consideration. Although not the usual choice for small companies, it’s an approach to IT security that may make sense for those enterprises governed by intensely regulated industries, but are not equipped to deal with IT security as a core competency.

Telecommunication companies such as Bell, Rogers, and Telus, among others, offer a range of IT security services that businesses may purchase as outsourced offerings. Often described as managed services, these telecommunication companies provide IT infrastructures that provide intrusion protection, firewalls, and secure content management, as monthly, billed services to small business.

“It's like an alarm system (and) no one would think of implementing an alarm system and then managing it themselves,” Sebbag observes.

While a successfully delivered security service should be invisible to end users, a clear reporting mechanism is essential, since it lets a customer know what threats exist and have been thwarted. Millie Kwan, System Manager for Canadian Actors Equity Association, says that in one recent three-week period her Association – an office of 23 people – received 40,000 emails identified as spam.

"Initially, the problem was that we were inundated with spam and viruses on the desktop," she says." The Association invested in a “security suite” product for Windows 2000. In part because the Association also uses older versions of Windows 98, Kwan further advised using an Internet gateway/firewall, as well as a product to remove “spam” from the e-mail server.

The solution has been in place now for two years. "Spam has been reduced dramatically; and we can be proactive, too, by setting rules for banned content," she says

 

More articles from ITWorldCanada.com

Pacific Internet partners with Cisco for SMB security

Allstream suite focuses on security

Bringing mobility under broad security umbrella
Subscribe to FREE e-newsletters and win a Wi-Fi finder!

We'll alert you to new stories, tips, white papers, webcasts and book reviews on the burning technology issues of your choice. Choose from 14 Knowledge Centre topics, or our Daily IT Wire or Global Newswatch.

The first 25 to sign up win a free Wi-Fi finder.

Already a subscriber? Great! Sign up for just one more e-newsletter and you'll be eligible to win!




Business Information Group Network:
AutoServiceWorld.com Bodyshop Broadcaster Mediacaster Cabling Networking Systems Canadian Architect Canadian Industrial Equipment News Canadian Underwriter Canadian Consulting Engineer Canadian Plastics Canadian Mining Journal Canadian Oil Register Canadian Transportation & Logistics Centre EcoLog EcoLog Eris Gifts & Tablewares HazMat Management i-hire.ca Jobber News Laboratory Product News Machinery & Equipment MRO
New Technology Magazine Nickles The Northern Miner OHS Canada OHS E-Learning Oral Health Journal
Pulp & Paper Canada Scott's Directories Solid Waste & Recycling SSGM Truck News