It's impossible to run a business without considering security, and small companies are no exception. However, while large businesses may be experimenting with cutting-edge security, such as detection of network behavior anomalies, and deploying security event management systems to make sense of reams of security data, many small businesses are wrestling with a more prosaic issue: passwords.
"The password issue is the bane of my existence," Allen says. Aside from the usual problems of password management, such as users forgetting them and locking themselves out of their systems, he also has had difficulty getting his users to comply with IT security policies regarding passwords.
"My biggest challenge isn't getting IT security in place, it's getting managers and users to take it more seriously," he says. A common complaint from users is that they have too many passwords to remember. Provisioning new ones also takes time, which means users end up sharing passwords with new employees to give them access to applications while they wait for IT to give them their own credentials.
Allen's users are getting used to the stricter security requirements within the organization and are taking the rules more seriously. "It's happening slowly, through attrition, new hires, and education," he says.
Single sign-on is one answer to this problem, but there are drawbacks. "It's expensive to get all that SSO stuff working," Allen says. "And in some sensitive applications, it's advantageous to have separate passwords--there's a certain level of security there."
One suggestion to IT managers who struggle with passwords is to teach users the acronym method. Users create a short, memorable phrase--for example, "Neo is the chosen one!"--and take the first letter of each word to form the password. They also can change written numbers to numerals. The result, NITC1!, is a reasonably strong password that's easy to remember.
Sugayan has had the opposite experience with passwords. Because Private Eyes deals with sensitive data such as Social Security numbers and medical records, executives make clear to everyone that security is a top priority. To that end, the company has taken the password issue out of its users' hands. Private Eyes assigns its users a new password every 30 days. "We don't have push-back," Sugayan says. "Employees understand we are working with highly confidential information."
But passwords aren't the only security issue that small businesses face. Kelley is preparing to deploy IPsec VPNs to several users to let them telecommute. He may turn to a consultant for help. He also would like to install an intrusion-detection or intrusion-prevention system, but he hasn't had the opportunity to plan a deployment.
Security outsourcing is an option for small businesses. Top-tier managed security service providers such as Symantec and Counterpane Internet Security offer services for small businesses. For instance, Counterpane's Enterprise Protection Suite SME Edition will monitor one firewall and intrusion-detection device.
Small shops also should consider local or regional managed service providers, which may offer more competitive pricing and a higher level of service. Your value-added reseller may be able to direct you to a vendor in your area.
Another option is a unified threat management system. Vendors including Astaro, Fortinet, Internet Security Systems, and Symantec offer products that bundle firewall, antivirus, anti-spam, and other services into a single appliance. These systems were designed with small shops and budgets in mind: A few thousand dollars can get you started with a firewall, VPN, and intrusion-detection package. But beware of performance issues--as you activate features, you'll slow down packet processing. An overburdened system for unified threat management can quickly become a choke point.
IT pros at very small businesses may not have money to throw at problems, but that doesn't make them helpless. As demonstrated here, a little ingenuity and some good advice from peers goes a long way.
Ways To Ease The Load