David Flynn has seen a number of SMBs fretting over how to put protect themselves. Here, he shares his insights about what SMBs should be doing, and what they are doing wrong.
As every computer user knows, there are some awfully nasty electronic critters out there. Every week seems to bring more news of worms and viruses written by people bent on getting their code to crunch on your networks and PCs. For SMBs, the cost of a security breach can be more than disheartening–it can actually sink the business through liability, downtime, and lost data.
David Flynn, vice president of security products at Juniper Networks, has seen a number of SMBs fretting over how to put protect themselves. Here, he shares his insights about what SMBs should be doing, and what they’re doing wrong.
There’s been so much emphasis on network security, and for good reason. Is there ever such a thing as a bulletproof, secure network?
Sure. Just disconnect your employees from the Internet, and run only an intranet that isn’t connected to any outside network. You can be very secure in that environment. With anything other than that, you’re going to be spending time thinking about security, and you should be.
What are some good basic steps for SMBs to make their networks safer?
The first would be to have an antivirus application on the desktop. Then, configure Windows, if that’s what you’re using, to do automatic patch updates. These are the foundational things that are important for making sure that employees aren’t inadvertently creating vulnerabilities in your business.
Users seem like a sticking point in security, with the common advice being to give them security training. Can something be done besides continually reminding them what not to do?
I think for SMBs, which usually don’t have formal training in place or the time to create such programs, it’s important to set some rules and guidelines. There are business policy decisions that have to be made, and that might include using technology that can do Web filtering, also called URL filtering.
This allows a business owner to define policies and destinations. So, for example, they’re not allowed to go to sports pages, or porn sites, or do online shopping. You can define all these attributes about where an employee can go and what they can do. This isn’t something that’s just for security or productivity, either–a company could have liability problems if they aren’t careful. If someone is looking at porn, for example, it can be called a hostile work environment.
In terms of security, it’s also very useful. Lately we’ve seen a host of application attacks that resulted from little bits of spyware that got downloaded from untrusted sites. Usually, people didn’t even know the programs got onto their computer, they just went to a site to watch a funny video or read an e-card. Filtering what comes onto the network by defining attributes can go a long way toward preventing these problems.
Beyond making sure that users are surfing safely, what else can companies do to protect themselves?
At a higher level, you should deploy a firewall at your network gateway.
It seems like with the advancements in technology, there are many firewall choices available. Are some of them better for SMBs in particular, or are they all roughly the same?
There are some simplistic firewalls that are often pitched to SMBs, and the customers are told that all they need is a firewall and they can sleep well at night. But a traditional, simple firewall is often not enough anymore to protect people.
What I’d recommend is that SMBs look into a new class of firewall called a “deep inspection firewall,” which integrates intrusion prevention and protection. It’s something that smaller businesses need to be thinking about because there are new threats out there. Worms like Code Red Blaster, and others like it, were application-level attacks, and they could only be detected by deep inspection.
Is there any difference in getting protection in the form of an appliance rather than software?
The whole security industry is gravitating toward appliance-based form factors, and that’s because there’s something very appealing about buying a box, plugging it in, and being protected. For larger companies, the decision of whether to go with an appliance is a bit more complex, because you’ve got multiple offices and different security issues.
But for SMBs, it’s good to be thinking about appliances, because not only are you keeping up with how the industry is moving, but you’ve got something pre-built that’s usually a much lower cost to deploy. Another plus is that if an SMB buys from a VAR or channel partner who knows how to deploy the appliance, they can set it up and make it a real no-brainer for the company.
If you want to go with security software, there’s a variety out there that you can just throw on top of Windows. But there’s a huge problem there, in that you have to make the underlying operating system truly secure. You have to know what you’re doing, and that requires having someone in-house who can turn settings on and off.
What’s the single biggest security error or misstep that you see SMBs doing?
I’d say that the biggest is not patching their computer systems, if they’re using Windows systems. Every month, Microsoft releases a wide variety of patches that address security vulnerabilities. It’s very easy to get these patches put on your computers if Windows update is running, or if an automatic tool is used. Related to that, we don’t see enough businesses using automatic tools for antivirus and vulnerabilities.
This is vitally important, because the time between companies disclosing vulnerabilities and hackers exploiting them has gotten very short. It used to be 9 months and now it’s 9 days, or even sooner. So, if you don’t have security policies and tools in place, you’re going to get burned.