In network security, the digital divide proves especially troublesome as small and medium sized businesses (SMBs) share the same security needs of the larger enterprise, without the same resources.
While it's not often that attacks against smaller companies make headlines, the threat is no less common, or real, than the attacks enterprises fend off on a daily basis. But big budget enterprises have the manpower and technical resources to deal with these threats, while smaller companies are hard pressed to do the same. Inadequate numbers of IT staff, lack of training and inferior network security equipment combine to put smaller companies at greater risk of becoming victims than the enterprise.
However, the gap in defense not only threatens the smaller business, but, in turn, the enterprise as well. As long as the divide exists, neither side will ever truly be protected.
The Direct Threat
Enterprises have shored up their defenses against a limitless wave of digital assaults. With drawbridge raised, moat filled and guards posted at every access point, many enterprise security managers are taking any and all steps possible to protect their network fortress. Any presumptions of complete network security are premature, however, as vulnerabilities ride into heavily fortified enterprises on the backs of unwitting third parties.
Enterprises deal with third parties on a regular basis. For a large enterprise to function as efficiently as possible, it must open some network channels to third parties such as customers, suppliers, vendors or partners. In fact, according to a VARBusiness survey, 66% of enterprises offer extended access to third parties. To do so, however, the enterprise must open its well-guarded walls, compromising even the best-laid defenses.
Two of the more common forms of extended access include virtual private networks (VPNs) and collaboration applications, such as supply chain management (SCM). While both of these technologies can enhance convenience and accelerate transactions, they also create possible security holes, bypassing the enterprise's external defenses. VPNs are designed to provide remote users with secure access to data and applications. However, if that remote system is compromised, the VPN perversely serves as a secure, dedicated highway for an attacker or virus to enter the enterprise. SCM tools generate the same risks because they open up internal applications and data to external organizations. Should these third parties be compromised, loss of sensitive data is a real possibility.
The Indirect Threat
Enterprises that have been diligent about patching vulnerabilities and updating virus signatures might feel immune to many of the threats circulating on the 'Net. However, attacks don't need to be specifically targeted at enterprises - or even carry a malicious payload - to have serious repercussions on the enterprise's operations. Take, for example, the Slammer worm, which emerged on the scene in January and spread to at least 75,000 hosts. The bulk of these hosts were infected within ten minutes of the worm's release.
While the Slammer worm did not carry a destructive payload, large chunks of bandwidth were jammed by the worm's activity, making it impossible to access Web sites or utilize Internet applications for hours. Those hours of downtime are painfully costly to all businesses - but, especially the enterprise - in terms of lost revenue, productivity, and recovery expense. Many enterprises might have patched their networks when the vulnerability was first announced and might have felt they had little to fear from the worm. Despite their foresight, these enterprises still suffered the effects from the worm's rampage, as many unpatched systems were impacted and traffic on the 'Net brought Web operations to a screeching halt.
Despite having the best network defenses, enterprises were helpless to maintain their peak level of operation. It was not until after the rest of the corporate Web community had addressed their security holes that the "diligent" enterprises were truly protected from the Slammer worm.
The Weakest Link
As an interconnected network of individual organizations, the Internet is like a chain. The security of any single organization is only as strong as that of the weakest link in the chain, no matter how large or small.
What are the options for the enterprise network? It could quarantine itself by shutting its network doors, but such a drastic measure would alienate customers and partners alike. Still, enterprises cannot bury their heads in the sand and expect things to somehow turn out all right. The problem can only be resolved by bridging the digital security divide that links together the security welfare of both smaller companies and the larger enterprises.
Obviously, enterprises cannot simply take control of their partners' network operations. Enterprises can, however, take an active advocacy role. By requiring that third parties tighten their network security in order to do business, enterprises can spur their partners toward the necessary security steps that they should be taking anyway.
Enterprises must keep in mind that there is nothing wrong with providing incentives for their partners to become more security-focused. Making network security an unavoidable requirement for those SMBs who want to partner with the enterprise will raise the priority of security in organizations that previously relegated it to "afterthought" status. This means partners must view security not as an add-on, but as a fundamental component of the overall partnership strategy. It also means addressing network security proactively rather than reactively.
Even if a security initiative is taken seriously, the task of closing security holes may appear daunting to cash-strapped companies. Yet, small companies and the larger enterprises that work with them needn't be discouraged. There are routes companies can take to strengthen security, even while under a strict budget.
The Small Solution
Small companies looking to give their network security a boost, without draining their coffers, can turn to two main areas for help - Managed Service Providers (MSPs) and network security appliances.
Outsourcing to an MSP or other IT service provider has become an increasingly common and effective way for budget-limited organizations to manage their networks, or in some cases, just the security component through an MSSP. By managing many networks, MSPs and similar IT service providers offer economies of scale that a single SMB could never achieve, reducing the ultimate cost to all parties involved. These kinds of service providers also use integrated management platforms, usually in the form of network security appliances, while offering a team of IT experts and specialists to manage the network, something a smaller firm could never establish on its own.
For the corporate do-it-yourselfers, the SMB striving for a more "budget-friendly" security solution, or those companies that simply would prefer to keep their network management in-house, those same network appliances can be their own internal answer to cost-effectively bridging the security divide. For years, enterprises have employed a wide range of tools, usually in the form of software, for the management of network security. However, while the price tags provided an initial obstacle to their adoption in smaller organizations, their complexity often also make them unfeasible for even well-heeled businesses.
Many vendors are stepping forward and designing network security tools in appliance form that are specifically designed to meet the needs of small and mid-size organizations, as well as fit in their price range. In a recent report, the Yankee Group cited integration, usability and compatibility as three other important aspects of network devices for the typical SMB IT professional. As appliances hit the market incorporating all of these needs, there is no excuse for SMBs to remain the weak link in the security chain.
There is no denying that a digital security divide exists. This divide will continue to plague enterprises and SMBs alike, until the necessary steps have been taken to bridge the gap. Only when each link in the chain--from the largest enterprise down to the smallest of start-ups--recognizes the interdependencies of the online marketplace will there be substantial improvement in network security.
Shane O'Donnell is CTO of Oculan Corporation (www.oculan.com)