SMBs Must Integrate their Security Measures

Mr. Hoffmann, current studies do not rate IT security at SMBs highly. Have SMBs failed to read the signs of the times?

As regards integrating security measures, many companies, especially SMBs, are still in the Dark Ages. And erecting barriers and walls (i.e. firewalls) is simply symptomatic of this. This is not due primarily to a lack of awareness, however, since security has a long tradition of following in the footsteps of technical development. Rather, security and data protection considerations in SMBs in particular all too often fall victim to the red pen as early as the planning stage, where cost/benefit analyses that are less than comprehensive take their toll in the name of rationalization. The mantra is often: The main thing is the system works, it’s cost enough already. It’s rare to see preventive integration of security measures in all business processes. Companies simply underestimate the costs incurred through implementing IT security solutions at a later date.

Apart from installing a virus scanner, what can SMBs do to boost and intensify awareness of IT security?

There are numerous ways to do this. They include security guidelines and policies, staff training and electronic service certificates. But what use is a security guideline that nobody bothers to read? One-off training sessions aren’t enough either. Knowledge acquired by staff has to be freshened up and updated from time to time. Of course, this requires a coherent, comprehensive security strategy and a coordinated approach. The key to this lies with the company management.

When management becomes aware of what administrators have long known, and junior executives – like in the current ad – stop playing games on Dad’s company notebook, we will have made a great step forward. The issue of IT security essentially has to be recognized, desired and taken in hand from above. After all, that’s where the necessary budget is approved.

These days, virus and worm attacks are even making regular front page news in well-respected newspapers. Company networks with wireless LANs, for example, are particularly prone to external attacks. Do effective protection mechanisms exist for this area?

The WEP (Wired Equivalent Privacy) encryption technology usually used in radio networks according to the IEEE 802.11 standard was actually discovered to contain vulnerabilities as far back as 2001. Examples of vulnerabilities are the initialization vector, which is too short, and the constant WEP keys, which function as “shared secrets” that have to be shared among all staff. Studies at Fraunhofer SIT showed that it was generally sufficient to listen in on around one Gigabyte’s worth of data in order to crack a 40-bit WEP key. This can be done in around 30 minutes using a WLAN-compatible notebook.

On the other hand, networks can be effectively protected. Alongside a few proprietary efforts, a WPA (Wi-Fi Protected Access) interim solution is one example providing improved security functions. This includes selected parts of the future IEEE 802.11 security standard, such as an extended initialization vector, re-keying and message integrity checking.
Deploying procedures which belong in the upper network layers such as IPSec (IP Security Protocol) or VPN (Virtual Private Network) can give complete independence from WEP, WPA or their possible descendants. Of course, you could also deploy confidential communication even higher in the application layer. This is to be recommended in cases where only a few selected applications, which already include integrated encryption, authentication and authorization mechanisms, are in operational use. However, an integrated approach to security doesn’t mean being forced to implement every possible technical solution. I’m thinking for example of electronic ID cards based on biometric characteristics with RFID (Radio Frequency Identification) technology, for contactless identification governing access to rooms, devices, communication channels and plant security. Security is always company-specific, and it makes financial sense for companies to deliberate during the conception phase on how the level of security they want can be achieved using different types of technology.

As a rule, SMBs have a straightforward structure and everybody knows everybody else. Despite this, there is no shortage of stories about disgruntled employees or ex-employees sabotaging companies by stealing, manipulating or even deleting important data. Does this mean that SMBs are underestimating the importance of the “human factor”?

In order to implement a security policy in a company, IT security must be integrated in all business process. This includes immediately denying former employees access to company data. I think that many SMBs still find it hard to put a figure on the business value of their security measures (keyword: RoSI). However, they overlook the fact that the cost of subsequently integrating security policies in business processes, or even adapting the latter to the requirements of security and data protection, are often extremely high.

I actually believe that, in general, SMBs have a pretty high awareness of IT security issues. However, they have concentrated up till now on specific areas, like deploying firewalls, anti-virus software and authorization management. They are lacking an integrated approach. However, in a time of tightened belts, investments in the core business take priority and IT security – unfortunately – takes a back seat to these.

What trends will shape IT security in the next few years?

Whether we call it ubiquitous computing, pervasive computing or ambient intelligence, it’s quite clear that increasingly intelligent everyday objects and the corresponding environment will be an important aspect of IT security in the next few years, fuelled in great part by the current debate around RFID in the case of the Metro Future Store.

Another controversial approach, which is also already being debated, is trusted computing. In simple terms, this initially involves the integration of crypto hardware in system platforms. The goals trumpeted by the Trusted Computing Group would certainly be helpful in numerous business scenarios where security is critical, like for example enterprise-wide communication for banks. However, advantages for the end user have yet to become apparent. On the contrary, a significant criticism of the scheme focuses on the possibility of implementing Digital Rights Management (DRM) against consumer interests. This is intended essentially to safeguard copyrights (e.g. for music, but also for software) on electronic data processing devices, thereby preventing piracy. Seen from this angle, DRM will certainly be a trend in years to come, particularly since the music and film industry are committed to taking legal action against users of exchange forums all over the world, where national legislation allows it.
A further trend in the business environment will be identity management, i.e. standardized enterprise-wide management of real and virtual user identities. This also embraces areas like authentication, authorization and simplified logon. However, how this benefits end users is not clear either, as long as they do not have full control of their personal data in a balanced concept, but this is ceded to the Microsoft Passport Portal or the portals of the Liberty Alliance Project (LAP). Regardless of whether they are centralized (Microsoft) or federalized (LAP), each of these initiatives, which are at the forefront of current discussions, primarily serve the interests of the participating companies, helping them to increase customer loyalty, identify and forecast customer interest, perform targeted marketing and statistical evaluations of individual customers and customer groups.

And how about biometrics?

I don’t know, but it may be that biometrics and its further development will be somewhat hampered by what I think is its premature integration in ID cards and passports. If a particular type of biometric data with particular associated procedures is established in this area, it will certainly not be possible to keep updating all ID cards with improved procedures on a yearly basis. Time will tell whether or not this becomes an impetus for biometric procedures to be used in other applications, such as protecting entry to buildings.

As regards trends in IT security, I believe that Bruce Schneier has hit the nail on the head in the phrase: “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. Therefore a central task for SMBs will be to firstly focus awareness on their specific security problems and then invest in the required software.

Dr. Andreas Schaffry
Dr. Andreas Schaffry