Is a SME like the old German expression – Kleine Kinder kleine Sorgen, große Kinder große Sorgen? “Small children, small problems, big children, big problems”?
I wanted to call this post “The need to understand operational risk of information security” – but I realised that op risk is a concept used by big banks and that a SME with 40 employees is not even thinking in that direction and may not even have an IT manager, let alone an IT security and compliance group. Yet – a small payment processor, or customer service outsourcing provider can be destroyed by a single data loss event.
The impact of a data loss event on an SME can be proportionally much greater than for a large, globally dispersed organization. An SME has all their eggs in one basket – outsourcing manufacturing to the Far East and providing sales and support using the Internet from offices in New York, Tel Aviv and Mumbai.
A typical SME buys network access from the ISP and installs standard network security in the office: like a SOHO firewall (Checkpoint or Cisco do fine), anti-virus on the workstations and anti-spam from the ISP.
The problem with firewall/anti-virus/anti-spam is that they are defensive means against known signatures rather than proactive means of mitigating the next attack launched from inside the network.
In order to understand the possible impact of an internally-launched attack on data (for example – an employee taking proprietary customer pricing with them to a competitor) or blogging new product plans from the office – or losing a database of payment card numbers to a hacker – the first step to being proactive is monitoring.
With a UTM box, security focus is on outside-in attacks, despite the fact that the majority of attacks on customer data and intellectual property launch from inside the office/extended network. The notion of trusted systems inside a hard perimeter has disappeared with rise of Web 2.0 services and convergence of all applications to HTTP.
I cannot imagine an SME spending $150,000 on Fidelis XPS network DLP solution or Verdays Digital Guardian (which is oriented to Global 500 customers or translated into English – at least 2,000 seats) but the new network DLP product – Traffic Monitor Lite from Infowatch is taking DLP technology into realm of pricing and ease-of-use from a Global SME. I look forward to having the opportunity to evaluate it and report back on my findings.