1) No security plan is foolproof. Comforting, isn’t it? But it’s true–there is no such thing as 100% secure, and I’ve yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That’s not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB’s job: don’t be an easy mark. Practice good basic security at bare minimum. If time and money are key challenges, consider a risk-management approach–more on that below in number five.
2) You might not know it if you’re infected. Flame’s just now coming to light, but it has existed since 2010–and possibly as far back as 2007. Even if you’ve got strong security controls in place, you might not necessarily know if you’ve been infected by malware or other means. “Most malware is written to be very stealth and not let you know that it’s on the machine, so what Flame does is very typical,” Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches–the straightforward anti-virus programs of yore aren’t likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.
3) Attacks are increasingly sophisticated. The complexity of today’s security threats almost make you long for the good old days of the Wazzu virus. Flame appears to have reset the bar. For SMBs, it’s a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won’t pass muster in 2012. “You really need to review everything [periodically],” Haley said. That’s important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security–or doesn’t–it might want to consider more frequent checks on its technologies and processes to ensure it’s keeping up with the times.
4) Reputation harm can be expensive. The fallout from the Flame revelation is just getting started, but it’s safe to say this is a public embarrassment for the affected governments. For SMBs, it’s a reminder that security breaches don’t necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example–they’re at an all-time high, according Symantec’s most recent annual security report–could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.
“It’s bad enough if you get your money or your customer list or some sort of intellectual property stolen,” Haley said. “But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can’t keep your information secure.”
5) Prioritize your most important assets. A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets–banking credentials and other financial information, customer databases, and intellectual property, to name a few examples–and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.