Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.
Granted, Hansen's employer sits on the higher end of the SMB size spectrum, but it is still relatively uncommon for companies with revenues under $500 million to have a person devoted to security. Hansen is rarer yet in that he leads a staff of six security professionals, who handle all aspects of physical and information security for the firm, which has 16 offices. "I've been lucky here," he says. Many companies of comparable size don't have anyone who takes a global view of security.
More great tips for smaller companies
- 2011: Small company takes on big PCI challenge
- 2007: 3 companies that fought back
- 2011: New FCC tool helps SMBs plan for cyberattack
When it comes to information security, most IT people at SMBs tend to be generalists rather than specialists like the ones at Sonnenschein. "They put in a new disk farm yesterday, today they're doing a website, tomorrow they will do something with security," says Darrell Rodenbaugh, senior VP of the midmarket segment for McAfee Security, a security software vendor in Santa Clara, Calif.
McAfee surveys its vast SMB user population frequently to discern their security practices and habits. "Most spend less than an hour a week proactively managing security," says Rodenbaugh. According to the most recent McAfee survey, most SMB respondents did not believe they are a likely target of cybercrime. "They don't think they are well enough known, but nothing could be further from the truth."
SMBs are still in security catch-up mode compared with large enterprises, according to Adam Hils, principal research analyst for the Atlanta office of Gartner. But catching up they are. One sign of maturity: SMBs are now more likely to have formal, written security policies, at least in the area of IT, according to a recent Gartner survey (see, "SMB IT Security Spending Habits," Page 27). About 47 percent of Gartner SMB survey participants have developed and adopted a formal security policy. And about 30 percent more plan to develop one this year.
That has been a big trend in the last year or so, according to Hils. Regulatory compliance is a major driver to formalize policies on the information security side, especially for retail companies that are within the purview of PCI DSS, the Payment Card Industry Data Security Standard. (See A Tale of Two PCI Audits for more details.) Even for companies that are not big enough to be covered by government regulations, they'll have to comply if they work with larger partners who do.
"Most companies of this size don't take a closer look at security unless they have to for some reason," says Corey Thomas, vice president of marketing and product management for Rapid7, a Boston-based consulting firm. After adopting the basic level of protection, they are often tempted to sit back.
That approach isn't good enough. "A frivolous lawsuit, a key theft or one cyberattack can cripple a small business immediately," says Charles Foley, CEO of TimeSight Systems, a video surveillance vendor in Mount Laurel, N.J. Since resources are short, though, whatever security measures SMBs do take need to be cost-effective and easy to implement.
"We spent several years trying to scare our [SMB] customers into spending more time and money on security," says Rodenbaugh. "I am now convinced that we have to figure out a better story. [Security measures] have to be extremely cost effective."
The need to be thrifty is hardly headline news in this space, in this economy. But we have identified five key security trends that are affecting SMBs, along with some ideas on how to capitalize on them:
1 Risk management should form the foundation of your security practices.taking a holistic, risk-based approach is not a new one; enterprise-size companies have been doing it for a while. But their smaller counterparts should use risk management as the foundation of their security policies, as well. Security, therefore, should encompass not just information and physical premises, but also the other types of risk companies face, including financial risk, credit risk, reputational risk, market risk. The CSO may not be able to make a decision affecting an area such as market risk—this would be up to the C suite or business owner. But he should view it as a duty to identify and inform about the different types of risk.
The idea of
Hansen at Sonnenschein has all of the major risk types on his radar screen. "We have been fortunate so far only to have to really worry about IT risk. But that scope is expanding quickly," he says.
Bright idea: Factor in threats generated by current conditions and address the most pressing ones first. The economic downturn means a lot of retail companies are dealing with higher-than-usual levels of shrinkage and returns fraud. If you think your company is exempt from this sort of threat, think again. For example, if you have a small business that installs wiring, you need to be aware of and mitigate against the current rise in copper theft. "There is a booming business selling copper on the black market," says Foley. "If you have a wiring business, people will steal the wire for the copper and then sell it." (See csoonline's in-depth Red Gold Rush for some surprising factors behind this phenomenon.) The key is to mitigate against threats that have sprung up due to bad economic conditions, as well as other less-expected avenues.
2 The ongoing confluence of information security and physical security is good news for SMBs.
In past years, you had to have separate networks for information technology and physical security. Now, physical security continues its march onto the IP network.
"We're seeing a strong trend to bring physical security systems like surveillance and access control together with IT security systems," says Foley. Just a few years ago, this was not possible. "Everything had to be wired separately. Now they can be plugged into the IP network, wired or wirelessly. It is much more cost-effective to leverage the common infrastructure," he adds. Physical security devices such as card readers and video recorders can run on the network, creating a new class of security information. But beware, you will need a new set of policies to control this new information asset.
Bright idea: Explore your own unique information- and physical-security applications. TimeSight Systems' SMB customers are mixing up information and physical security in innovative ways, reports Foley. For example, the access control system can link to the network so employees will not be allowed to sign on to the corporate network until they have swiped their ID card to get into the building. Obviously, this would not work for the millions of companies where employees sign onto the network from home. Still, there are many interesting possibilities here.
3 Video surveillance and analytics are now within the reach of SMBs.
Video surveillance is one of the fastest growing areas in physical security, according to IMS Research. Companies of all sizes are snapping up well-priced video cameras and video analytics systems that allow you to store high-quality images of relevant data such as individual faces and license plates. "[Video analytics] act like a digital guard at a fraction of the cost of a human guard," says Scott Schnell, president and CEO of VideoIQ, in Bedford, MA.
"It detects when a person or vehicle enters an area where you have set it up to alert you. The system can detect people who are loitering or lingering after hours and apply rules about their behavior." Prime video surveillance users are hotels, casinos, banks, high-end retail and car dealerships. VideoIQ's camera has a suggested retail price of $1,800, which includes the video camera, enough storage for two months of continuous taping and PC software. (See also Video Content Analysis: Look Smart.)
Vendors are scrambling to introduce innovative new video technologies at a price point that is attractive to SMBs. For instance, the high cost of storage hardware traditionally limited SMBs from deploying video surveillance. TimeSight sells what it terms "video lifecycle technology," which automatically reduces the amount of data stored on the system over time by degrading the quality of the video. "The user can say, If nothing has happened within one week of taking this footage, compress the video down to one-third of its original size. If nothing has happened after a month, compress it down to one-eighth of its original size,'" he says. This makes video storage more efficient and helps SMBs avoid buying new hardware.
Hansen at Sonnenschein uses a "smart" video system: "If there is no movement, the camera doesn't record. It only takes and stores what we might need." The system takes the place of human guards. "For me to hire guards would be an extraordinary cost."
Bright idea: When attempting to justify the cost of video surveillance, visit the marketing folks to see if they could use the system for business purposes, advises Foley. Not only will you be more likely to get the funding you need for video surveillance, but you will do a good turn for the business side of the house. "Marketers can do things like people counting. They can analyze how many people were clustered around that end-cap display, and how long were they there?" That kind of data can help marketers optimize the business, potentially a very great benefit.
4 Outsourcing is more popular than ever.
Seeking lower costs, businesses of all sizes are using all types of security services provided by third parties. Ed Eskew outsources his security function wholesale to a trusted provider. Chief information officer for Bernard Chaus, a $118 million privately held maker of women's apparel, Eskew outsources the majority of his technical infrastructure, including security, to a service provider that he has grown with over the last 10 years. The provider has full-time staff on the premises at each of Chaus's six facilities throughout New York and New Jersey.
"This arrangement allows me access to every possible skill set that I need to support my environment. They use a lot of state-of-the-art technologies. We have VPNs to [contract manufacturers in] Hong Kong and China. We have secure remote checkpoint technology to mitigate and manage security from those locations," says Eskew.
"They rotate their own engineers through our facilities so there is constant replacement and overlap. There is a constant refreshing of skills," he says, adding that the arrangement is cost effective compared with doing it in-house. His IT spend is a bit less than 1 percent of revenues, which were $118 million in 2008. "To bring all these skills on staff becomes cost-prohibitive—at least $500,000 to bring it in-house. I am paying 25 percent to 30 percent of that to outsource it."
Bright idea: Wholesale outsourcing is better as a trusted relationship built up over time. Sending your security function to an unproven provider would increase your risk exponentially. "There is too much at stake," says Eskew. "You need to make sure you know who you're dealing with. We have a nice relationship, built up over many years. You don't go out day one and go from nothing to this, in my opinion."
5 Recognize that you can't take people out of the equation.
You need policies and to train your employees on what is acceptable and what isn't. But "changing the way people act is not a way to enforce security," says Hils of Gartner. "It would be, in a perfect world, but this is the real world." What that means: No matter how much you would like to, you cannot legislate all risky technologies and platforms out of most environments. "You can't outlaw things like IM and Facebook," says Thomas of Rapid7. "Your users will just find workarounds to your restrictions, and then you'll have no [visibility]."
Instead, you have to help people find ways to engage constructively with riskier modalities such as online document-sharing applications, outside collaboration platforms and social networks. "Employees are just trying to get their jobs done. There are a lot of online tools that can help them do that. But they need to be trained about processes and procedures on how to manage them," says Thomas. (For more on social media problems and solutions, see Web 2.0 Applications, Sites and Security Solutions.)
Bright idea: When it comes to people, resist the urge to look down everything in sight. Top-down management does not work except in limited circumstances. The process is not unlike raising teenagers, says Thomas. "You want to establish a dialog so that they will know how to make the right choice when the time comes. He advises, "Aim for progress, not perfection."
If you are in charge of security at an SMB, you have our support. "SMBs are getting really crunched right now," says Foley. "They don't have big funds and they don't have big staffs but if they want to compete, they better deliver the same quality of goods as the big players." And that means having security that is on par with large companies.
On the other hand, be thankful that you don't have to deal with big-company headaches. "My friends who do my job at gigantic companies, they have different issues," says Hansen of Sonnenschein. "They have size, but that can be a problem. Size slows you down. I can be a lot more nimble and make quicker security decisions." ##
Lauren Gibbons Paul is a freelance writer based outside Boston.