SMBs Need Comprehensive Security Concepts (part 2)

Nowadays, SMBs are networked in many different ways. In addition to closed company networks (intranet), Internet access, e-mail communication, Internet-supported communication with other companies or branches, remote maintenance, dial-in capabilities for external employees, radio links, web servers and many more are all commonplace. Company networks have to be open so as to facilitate business, but this also exposes them to a new breed of IT threats. And working out of the office using a “mobile office” in particular brings about numerous threats and risks.

Building strong network defenses

The German Federal Office for Information Security (BSI) makes a point of mentioning the fact that the rapidly increasing number of overly insecure wireless networks (wireless LAN; WLAN) has risen significantly over recent years. “Enthusiasm for this new technology and the possibility of creating wireless networks mean that security aspects are all too often put on the back burner. Many companies are therefore unintentionally ‘laying bare’ their confidential data,” say the BSI’s security guidelines. “Tapping in to company data flows is quite straightforward and easy to do,” agrees Mario Hoffmann from the Fraunhofer Institut für Sichere Telekooperation (SIT) (Fraunhofer Institute for Secure Telecooperation). And numerous studies and field tests back up his statement. While a LAN transmits data across cables, a WLAN sends the information through the airwaves. This means that, in principle, an aerial and sufficient proximity to an access point are all that’s required to access internal company information.
Tests on WLAN security by the Information & Telecommunications Technology Center (ITTC) at the University of Kansas have also shown that the actual distribution of WLAN signals cannot be predicted exactly. “The main benefit of a WLAN is also its main disadvantage. Radio waves can be transmitted freely and cannot therefore be limited to a certain area,” explains Hans-Georg Büttner, author of the report, “WLAN – a paradise for hackers?”, who is also responsible for IT network security at Ernst & Young IT Security. According to the survey, many IT managers deal with the subject of WLAN within their overall security strategy “somewhat sparingly”. Yet even this is still too optimistic as, in reality, the survey shows that the lack of wireless network security is alarming. Fifty-two percent of companies either use no encryption or rely on the inadequate symmetric encryption method WEP (Wired Equivalent Privacy), which is part of the IEEE 802.11 (Institute of Electrical and Electronics Engineers) industry standard. Fraunhofer researcher Mario Hoffmann also describes WEP technology as “exposed” and recommends using host-based technologies such as VPN (Virtual Private Network). Yet only 48 percent of companies use a VPN for encryption, far less more secure, special software – something which surprises the experts at Ernst & Young, particularly since “at least half of the surveyed companies have already been victims of hacker attacks and the number of unreported cases is significant,” says the report. Marcus Rubenschuh, head of Information Security at auditors Ernst & Young compares the insufficient protection offered by wireless networks “with openly laying out a selection of keys for the doors to your company.”

Everything that’s legal

If important business and customer data is stolen from a company, destroyed or leaked outside as a result of company negligence, the company in question will not only have to cope with immense damages, there could also be legal repercussions in the worst case scenario. The extensive requirements for companies in terms of data security which are set by legislators are often not fully known. But well-known legislation such as the Bundesdatenschutzgesetz (BDSG) (German Federal Data Protection Act), TDDSG (Teleservices Data Protection Act), EU guidelines on data protection and KonTraG (legislation on control and transparency in business) highlight the legal dimension of the topic. The legislation stipulates concrete obligations for companies to create and maintain an appropriate level of IT security. This is crucial as data protection laws make it clear that companies must treat customer data with the utmost confidentially and have a duty to protect it from unauthorized access.
At the end of the day, it is in the interest of every single company to protect its data, since “protection of data relating to prospective and existing customers represents a key competitive factor that should not be underestimated,” confirms data protection expert Dr. Thilo Weichert, Chairman of the Deutsche Vereinigung für Datenschutz (DVD) (German Organization for Data Protection). Detailed IT security concepts can also have a positive or negative effect on policies for lending to companies, since as part of Basel II banks also have to include the IT risks that a borrower faces when assessing their credit rating. And the following maxim generally applies – the better the security concept, the better their assessment in this area.

Human (insecurity) factor

Yet every company, even if they have a well thought-out security strategy and a sophisticated security system, has an inherent weakness – and that is and always will be humans. A study carried out in 1999 by the University of Essen also makes mention of this fact. The results rate errors and negligence on the part of company employees, information theft and industrial espionage as extremely high risks to information security, with employee negligence often considered to present the greatest risk.
In a recent forecast up to 2008, even US market researchers from Gartner predicted a significant increase in financial losses caused by unauthorized use of computers or networks by employees, either on their own or together with outside help. In terms of the total number of security breaches, these incidents “only” account for around 30 percent, but are responsible for 70 percent of financial losses. Gartner is therefore campaigning, like the OECD, for a “security-aware culture” in companies, so that specially trained and prepared employees know what to do when the real thing happens. But companies still have a great deal of work to do in this respect, as it takes years to create such a culture, says META Group security analyst Chris Byrnes.

Codes that everyone knows

Employees tend to be quite lax when it comes to passwords and access codes that grant users access authorization, either to log on to the internal network or into specially reserved security areas. Slips of paper with passwords lying next to the computer or visibly attached to the side of the screen are a common sight. Laziness prompts people to choose a simple password, such as their own name, their wife’s or their child’s and this is then also used for several logon procedures, where necessary. And former employees can often still log in to internal networks days after leaving, since no one has remembered to change passwords or block access. Such carelessness enables former employees to copy or delete business-critical data, such as customer information. Fraunhofer security expert Mario Hoffmann thoroughly recommends “blocking access to company data for former employees immediately”.
“Disgruntled former employees can hit companies where it hurts and company networks are a particularly sensitive spot,” says Frank Lemm, Chairman of SAP Business Partner realtime, which offers bioLock, a biometric security solution specially developed to protect SAP systems. This checks a user’s fingerprint to see whether they are registered for an SAP solution. Employees can log on to the SAP system using their fingerprint and can access the data and functions which are approved for them, depending on their user rights. The program does not replace a company’s authorization concept, but ensures that functions are actually executed by an authorized employee. As Bruce Schneier tells us in Secrets & Lies, no protection is perfect, since even the most intelligent security concept cannot prevent an attack which is down to human weaknesses.

Comprehensive concepts are what’s needed

If companies develop such a concept, they should proceed systematically and create an inventory of their company assets, including business processes and where they come in the added-value chain, and then classify them according to their protection requirements. All possible threats and weaknesses should be analyzed. Aspects to consider are espionage, theft, sabotage, destruction or modification of information or programs (e.g. through viruses) and IT system failures, for example. After a subsequent risk analysis of the IT systems has been performed, the prioritized protection objectives should be defined and the appropriate measures implemented. “A comprehensive IT security concept starts with administration rights and ends with access control,” says BSI president Udo Helmbrecht.
This is where the hard work begins for SMBs, particularly seeing as a survey of readers of “Computerwoche fokus Mittelstand”, an IT magazine for SMBs, found that IT protection is seldom tackled systematically. “Risks are generally not considered and assessed objectively,” says security expert Christian Aust. An unwillingness to invest in comprehensive risk analysis is also a further shortcoming among SMBs. Instead, security measures are “spread out following the watering can principle,” criticizes Aust, “and therefore remain ineffective.” He goes on to say, “There is also a lack of efficient controlling and, where necessary, existing measures are not corrected or adjusted to suit changing conditions.” Deloitte security expert Peter Wirnsperger believes that “the discussion will only really mature” when SMBs start to regard IT security as an opportunity and recognize how to make their business more efficient and thereby more profitable. And a heightened awareness of security problems and prudent, well-planned strategies go a long way to helping, as only secure systems can guarantee a company’s long-term success.

Further information:

General: (Federal Computer Incident Response Center), (Computer Security Institute), (Internet Security Alliance),,

Dr. Andreas Schaffry
Dr. Andreas Schaffry