We analyzed 699 responses to our InformationWeek Analytics 2011 Strategic Security Survey from IT and security pros at companies with fewer than 1,000 employees, and we found that they take information security every bit as seriously as large enterprises. They're wrestling with the same challenges, including managing the complexity of security, enforcing policies, preventing data breaches, and assessing risk, but they're doing it with less funding, expertise, and technology.
"Somewhere between 30 and 150 people, you reach the really scary spot," says Lee Sharp, network and systems manager for recycling company TerraCycle. "Midsize companies have all the complexity of big companies but can't afford the big tools and can't easily enforce policy."
Problem 1: Managing Security Complexity
Managing the complexity of security is far and away the greatest challenge midsize IT organizations face--50% of our 699 survey respondents identified it as problem No. 1, 16 percentage points ahead of the next biggest issue, enforcing security policies. A smaller number of people and nodes to protect is little comfort when criminals have diversified their attacks and you're faced with increasingly mobile employees accessing business networks from insecure wireless hotspots, often using unmanaged devices.
Oh, and most midsize companies must comply with at least one, and frequently multiple, regulations, including PCI DSS, HIPAA, state privacy laws, and the Sarbanes-Oxley Act for public companies. Audits are a major time suck.
The complexity problem is exacerbated by stringent requirements from partners--often much larger companies, with more resources--whose information they handle. Small companies are being forced to sign on to stronger policies, processes, and controls and adopt expensive, sophisticated security technologies as a condition of doing business with those larger partners.
Jonathan Penn, an analyst with Forrester Research, points to email marketing firm Epilson, which recently suffered a major breach. The company's data security practices will be under tighter scrutiny from its giant clients, including Best Buy, JPMorgan Chase, and Walgreens, whose customer data was stolen.
Midsize companies are in an especially tough spot; they're too big to keep tabs on what every user is doing but too small to absorb heavy requirements from partners.
Managed and hosted security services are arguably the only plausible way to cost-effectively counter security complexity. The trick is finding the right one. We discuss exactly how to choose a partner in our report on security services strategies for small and midsize firms, which includes a checklist tailored to low-, medium-, and high-risk environments. Integrated security suites provide desktop and server antivirus and anti-malware protection as well as email and Web security, all with unified management. Then, fill in gaps by adding such services as endpoint data loss prevention and encryption, which increasingly is a requirement for state data privacy laws.
Of course, the best security can be bypassed if you don't have a strong password policy.
Problem 2: Enforcing Policy
Outsourcing a security technology and management doesn't absolve you of responsibility for employee behavior, something 34% of respondents cite as a major challenge. Yes, formulating rules for safe computing and handling of and access to sensitive data takes time, executive buy-in, and some level of automation. The key is dropping the us vs. them mentality and working with employees as security partners. "We rely on end user training to make people aware of what's good behavior on their computers--how you handle passwords, access, what's responsible vs. risky behavior," says John McGuthry, CIO of Armstrong Atlantic State University in Savannah, Ga. "If you don't create good behavior and good habits, everything else breaks down."
A best practice is to require that anyone with access to sensitive information undergo annual security training. There's help available here, too. Pain management specialist Zynex Medical turned to a cloud-based learning management service for regulatory compliance training for all employees and independent sales reps. The service helps Zynex document training, which helps at audit time. "It's a big mitigating factor for regulatory exposure," says David Empey, Zynex's director of regulatory compliance. "The cloud service shows we trained and tested competency of folks in all areas where they have to be compliant."
Forrester's Penn calls users the first and last line of defense. Training them to identify suspicious activity, where to report it, and even what to do to preserve evidence from a forensic perspective can make the difference between containment and an infection that spreads throughout the network.
Complement education with strong change management policies and procedures to assure that network devices, critical servers, and firewalls are properly configured. Armstrong Atlantic's McGuthry has put in place procedures that must be followed every time there's a configuration change on a firewall or a significant modification of an application, for example. All affected parties--within and outside of IT--are informed before changes are made, to ensure that all security, network, and business needs are addressed. Every change includes a plan for testing and recovery to return the device or application to its original state if necessary. And every change is documented, and that information securely stored.
"No one can make a change outside this process," McGuthry says. "If someone does, that's a behavior that's quickly changed."