How to Keep Data Secure Despite Rapidly Evolving IT Threats

Early this spring, an intern at the North Arkansas Electric Cooperative ignored company policy and plugged a USB device into her computer, inadvertently unleashing a devastating worm virus onto the network.

“We were dead in the water,” recalls IT Manager Jim ­Blackmon. NAEC’s antivirus program didn’t catch it, and the virus spread so quickly that soon the entire workforce was paralyzed.

The electric utility’s servers were offline for three hours. Once the IT team brought them back up, it spent several days and nights cleaning up 150 systems, one by one. Worse, the company found the maker of the antivirus it was using initially unresponsive and then largely unsupportive during the recovery effort.

“It’s hard to put a dollar figure on something like that,” says Blackmon, noting that every single department was affected. “If we’re going to do our job and serve our customers, we have to have access to all of our systems and our customer information 24 hours a day. In this case, we didn’t, and it hindered our ability for several days to perform our day-to-day functions.”

Thankfully, the experience had a silver lining: It forced the cooperative to take stock of and make a quantum leap in its security strategy. Among other steps, the IT team sent a notice to all employees that reiterated the security policy with regard to external devices and the reasoning behind it. Then the team began searching for a new virus protection solution.

Blackmon soon discovered Kaspersky Anti-Virus, a security program that offers updates of virus signatures every two hours and provides integrated protection against spam, phishing and zero-day attacks.

After implementing one version for clients and another for the company’s Microsoft Exchange server, Blackmon and his team quickly regained confidence in their ability to keep destructive code out of the network. But they also learned how ineffective their previous efforts had been: The Kaspersky program immediately discovered several latent viruses residing on NAEC machines.

“That was upsetting, but at least we know we’re now on the right path,” Blackmon says. “We’re completely protecting our machines, and the new program saves us a lot of time because we don’t have to stop our main work to go out and repair a virus.”

No Place to Hide

NAEC’s experience underscores how challenging it can be for small and midsize businesses to secure their IT assets against today’s rapidly evolving threats — and the devastation that a single lapse can have on operations.

“Small businesses are definitely more at risk than large businesses with respect to security because if they are attacked and their information is compromised, they can go out of business quickly,” observes Dr. Sushil Jajodia, director of the Center for Secure Information Systems at George Mason University. “As such, there is very little margin for error.”

Small businesses, of course, have fewer resources to address data security and other IT concerns. That in turn makes it tough to standardize security policies and develop the controls necessary to enforce those policies. And small businesses often experience higher employee turnover, which means that some members of the staff aren’t up to speed on security procedures. Plus, long-time employees often treat company computers as their own personal property, Jajodia points out.

This combination of factors has led an increasing number of businesses to incorporate new and more robust tools, which — along with security training for employees — can ensure the redundancy and automation needed to effectively protect systems even on tight budgets and with small IT teams.

Digital Risk, in Maitland, Fla., is one such company. Given the housing crisis brought on by the recession, the forensics analysis firm has increasingly moved into the business of reviewing loan documentation for fraud. This mission shift has required the company to not only store extremely sensitive personal and financial information about loan applicants but also conduct research on the web, which sometimes includes visiting social networking sites such as Facebook and MySpace. The inherent risks in this work inspired Chief Technology Officer Eric Rawlings to take extraordinary steps to ramp up company security.

“We really have to be extremely careful now to ensure that that information is only available to the folks who need to see it,” Rawlings says. “Since we are also growing, scaling out servers, scaling out employees and changing how we access and use information, we realized that we needed to protect PCs in a different way than we normally would.”

Photo: Gary Bogdon

Digital Risk CTO Eric Rawlings says it's crucial to have "systems in place to back up people if there is a breakdown in process."

To safeguard against both external and internal threats, Rawlings incorporated a multitiered strategy that included implementing the entire suite of McAfee products. The suite protects against viruses, malware and spyware but also scans websites for malicious code. Rawlings also deployed Fortinet’s unified threat management platform, which protects against data leaks.

For its mobile devices, the company uses HP ProtectTools and HP notebooks to provide full hard-drive encryption, a login device that reads an employee’s fingerprint and a credential manager for securely storing all employee credentials.

“If one of our laptops is ever lost or stolen, it’s completely protected,” Rawlings says. “Whoever gets hold of it won’t be able to get up past the boot screen.”

Rawlings also decided to upgrade the corporate operating system from Microsoft Windows XP to Vista because it can manage group policy at a much more granular level.

The result of all this extra effort? A perfect security track record so far. “We haven’t lost any data in our corporate history,” he says, noting the company also relies on robust awareness training. “I think that’s a testament to how seriously we take security, that our processes are followed and that we have systems in place to back up people if there is a breakdown in process.”

One Size Does Not Fit All

For many small businesses, data security needs, like corporate missions, are unique. Consider MobiTV, a startup in Emeryville, Calif., that delivers content and applications to mobile devices. It needed a security strategy that would let it stay on top of threats even as the company deployed assets and products on an accelerated schedule.

Chad Kalmes, IT manager for MobiTV, says the approach he and his IT team came up with was to layer additional security on top of its core security program. It uses Symantec Endpoint Protection Suite, which offers standard antivirus, antimalware and antispam functionality, plus a local firewall for devices, and intrusion detection and prevention services.

“We found that having all those different modules and the ability to control all the different security aspects within our environment through that one product was really advantageous for us,” Kalmes says. “It allows us to get better and coordinated visibility into all of those different pieces.”

MobiTV also customizes domain policies to enforce and lock down different aspects of its Windows and Linux machines and uses monitoring agents that not only report back performance and health statistics but also monitor for security events and patch management gaps. For mobile devices, Kalmes insists on password controls and timed auto-lock for all users, and he can remotely wipe data from any device in the event of loss or theft.

Kalmes recommends starting with a foundation of policies and procedures rooted in best-of-breed IT security frameworks. “As a small company, we may not implement every aspect of every control to the level of detail that’s available in those frameworks, but it does provide us with some structure and guidance immediately,” he says. “Then, as we grow in complexity and size over time, adding on new controls or new procedures is pretty easy.”