![Page 1: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/1.jpg)
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
http://www.dannylieberman.info [email protected] http://www.controlpolicy.com/
Data security for an SMBFly first class on a budget
![Page 2: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/2.jpg)
“Any large company is made up of a large number of small businesses.”
Bill Gates, circa 1998. Explaining why Microsoft workgroup products were a good fit for big enterprises.
![Page 3: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/3.jpg)
Agenda
• What threats should concern an SMB?• SMB awareness of data security• Cultural factors• What data should an SMB protect?• Is anti-virus enough?• Is a firewall enough?• Servers in the office or in the cloud?• Planning for disasters• Fly first class for cheap
![Page 4: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/4.jpg)
•What threats should concern an SMB?
• Data security is Ugly– Loss of IP
• Trusted insider theft– Mail, Web, IM– Smart phones
• Front-door attacks– Lost passwords makes it easy
• Back-door attacks– Spyware, Trojans– Piggy back on legit sessions
![Page 5: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/5.jpg)
•SMB awareness of data security
• Market research performed by Infowatch in September 09
– 99% of 190 SMBs were aware of data breach issues.
– Over half focused on IP protection
Infowatch CEO Natalya Kaspersky
![Page 6: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/6.jpg)
Cultural factors
• Americans– Rule-based– Technology– Lots of regulation that doesn't work
• Europeans– Principles-based– Discipline– Regulation that appears to work
![Page 7: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/7.jpg)
•What data should an SMB protect?
• Credit cards– Usually not an issue for SMB merchants
• Most have less than 1 million transactions/year
• Most outsource payment processing
• Can comply to PCI DSS with a self-assessment
• Intellectual property– A small firm can have extremely valuable IP
• Manufacturer, design house, hi-tech startup
• Designs, algorithms,commercial agreements
• IP theft can put a SMB out of business
![Page 8: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/8.jpg)
Is anti-virus enough?
• The good news– Good AV software can detect and
prevent certain kinds of attacks that steal data
• The bad news– Anti-virus software is worthless against
trusted insiders, phishing, man-in-the-middle attacks.
![Page 9: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/9.jpg)
Is my firewall enough?
• There is no good news– Firewall creates false sense of security– Cannot stop trusted insiders– Anyone can violate privacy of other
employees – Cannot stop targeted Trojans from
stealing data on open FTP or high-numbered ports
• If you shut them down, employees will take their data home....
![Page 10: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/10.jpg)
In the office or in the cloud?
Wake up and smell the hummus– Hosting your own mail/Web servers in
the office is a bad idea• Attracts attackers like flies to honey
– Use service like Google Apps• They may read, but they won't steal
![Page 11: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/11.jpg)
Planning for disasters
• Take regular backups• Use a professional hosting service
– Calculate cost of loss of business– Spend the right amount
• Build employee ERT– Emergency response team– Train once every 3 months– Know where the keys are
![Page 12: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/12.jpg)
Fly first class for cheap
• Policy • Enforcement
![Page 13: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/13.jpg)
Fly first class for cheap
• Policy: the 10 commandments are free.
• An AUP reduces the number of employee options by default
– No “opt-in” check box
![Page 14: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/14.jpg)
AUP read and understand agreement
An Approved Usage Policy states that: “Digital channels are to be used to further the
company’s business and improve customer service and not for personal entertainment or gain”
“Employees will protect the company's digital and physical assets”
![Page 15: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/15.jpg)
Digital Assets
• Any computerized information that the firm uses to compete or accomplish it’s missions
– Customer pricing– Intellectual property– Biz dev plans
![Page 16: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/16.jpg)
Enforcement
• Corporate culture– A little fear in the workplace is not a bad idea
(Andy Grove)
• Everyone signs, owner first• DLP “Light”
– Mail and Web – Alert and/or block violations– SMB solutions available for $10k
![Page 17: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/17.jpg)
Database Server
File Server
SMTP
HTTP
Policies
Interception
Alert or Block
Reporting
Forensics
DLP “Light” for SMB
![Page 18: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/18.jpg)
Coming attractions
Register online for:• Oct 8: SMB data security• Oct 15: Data security as a business
objective• Oct 22: A holistic approach to security
and compliance
http://www.controlpolicy.com/workshops/
![Page 19: Data Security For SMB - Fly first class on a budget](https://reader033.vdocuments.net/reader033/viewer/2022051514/549896ebac795982318b4b48/html5/thumbnails/19.jpg)
Learn more
• Read the Data Security Bloghttp://www.software.co.il/wordpress/
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/