As small and midsized businesses try to chart a strategy for digital transformation, ensuring data security is becoming increasingly difficult. Threats are getting more sophisticated and numerous, and the emergence of the Internet of Things as a crucial business strategy has exploded the number of vulnerabilities in a typical organization’s environment.
“We’re seeing a blurring of the lines between large companies and SMBs today,” said Zulfikar Ramzan, CTO of RSA, a Dell Technologies cybersecurity company. Ramzan noted that thanks to the emergence of cloud services, “SMBs can access some of the same resources that bigger organizations can. So in many ways, even though they’re smaller, for the first time we’ve seen this democratization that’s been fueled by the cloud.”
That’s a good thing, but it means that SMBs must deal with many of the same security issues that much larger companies do. Ramzan sat down with BizTech for a conversation at Dell Technologies World 2018 in Las Vegas to discuss the threats facing SMBs and how to best confront them.
BIZTECH: What are the biggest security threats facing SMBs today?
RAMZAN: The No. 1 threat is identity management. You have employees, some of whom may be full time, others who may be contractors and others who are working with you through third parties. And for a lot of small organizations, their third-party problem is pretty huge because they’re working with a lot of partners since they can’t do everything on their own. And how you manage those identities and how you give people access to resources that they need, while providing a level of convenience is becoming a bigger issue.
Zulfikar Ramzan, CTO of RSA. Photo courtesy of Linkedin
The beautiful thing is nowadays we really look at the identity problem differently than we did historically. Identity used to be a really complicated endeavor to deal with, but now you can create a service in the cloud and start leveraging it — for example, at RSA, we’ve done a lot of work allowing our customers to leverage cloud services without having to rethink how they do their identity structure. Because once you have identity right, the rest of your security is resting on a solid foundation. Security is really about ensuring that only the right people can access the right resources at the right times, and do the right things with that access. And if you don’t have identity as a foundation, then nothing else will follow from that point onward.
BIZTECH: What about malware and ransomware?
RAMZAN: We’re seeing a lot of situations where especially SMBs can get compromised in devastating ways. We do a lot of work with the FBI, and one startling statistic I heard from the FBI is that in the aftermath of a major cyber breach, most SMBs are out of business within six months. Having a few hundred thousand dollars stolen because of, say, a spear-phishing attack could mean the end of your business very quickly.
That’s why I started with identity — that’s where people access the critical resource. Remember, an attacker is not going after your business for its own sake. They’re trying to get something out of it, usually critical data that leads to some monetary gain. And so it’s like protecting a bank — you can build a strong front door for a bank, but an attacker’s goal isn’t to walk in the front door; it’s to get the money in the vault. Identity is where you maintain the keys to the kingdom.
Malware defense is a key area to think about. And we certainly recommend that you have your basics in place: your anti-virus, and make sure your systems are patched. But we’re also noticing that as organizations start to access more cloud services, they can circumvent some of those issues because they no longer have to maintain systems internally. And I’ve argued that a secure system is a well-managed system. Most organizations don’t have the resources to manage their own systems — even large ones have failed miserably. When you leverage a third-party service, you let someone else manage it for you. So you give up some control, but you also get reduced cost of manageability, and that ends up paying dividends in terms of security as well.
BIZTECH: What are the big differences between the data security challenges SMBs face versus enterprise organizations?
RAMZAN: For SMBs, the really difficult problem is that lack of economy of scale. Everyone’s a target. Sometimes a smaller organization will partner with a larger organization and a hacker will target the smaller firm as a means of getting to the bigger one. We see these kinds of attacks all the time. In the context of a bigger organization, we refer to it as third-party risk.
It’s not like the security issues that smaller companies deal with are that much less than bigger organizations. But they have less resources. They can’t have the same level of sophistication in their security programs.
BIZTECH: Can you describe some of the emerging threats that the Internet of Things presents to companies?
RAMZAN: It seems like the buzzword of this conference is IoT. One of the biggest challenges is that there are all these devices out there, all of them generating data that could be relevant, and all of it could represent a conduit into some deeper and more valuable data inside an organization. We’ve heard of so many cases where an attacker will go after an IoT device and use that device as a mechanism to get into a richer data store.
The second thing to consider is that no one is immune. In fact, small organizations often have to deal with IoT in more significant ways because they leverage third parties more extensively to do their work.
And third, when you think about what it takes to secure IoT, a lot of companies think about their security strategy first. What you really have to start with is your business strategy. I’ve had people say to me, “I have money to start an IoT project.” That’s the wrong approach. The right approach is: “I have money to solve a well-defined business problem, and I think IoT might be part of the solution.”
So you have to first think about your business objective and then use that to help define your security strategy. In other words, take a business-driven approach to security. Because ultimately, if you just try to throw money at a security problem without really thinking about what you’re trying to achieve on a business level, your efforts are almost guaranteed to fail.
BIZTECH: What are the IoT security principles that SMBs should be aware of?
RAMZAN: Well, first, consider that IoT is a place that’s ripe for vulnerabilities and increases attack potential exponentially. I’ll give you a statistic: In the next 10 years, more than a trillion lines of code will be written by organizations that have never written a single line of code before. When you think about how many organizations are effectively becoming software organizations today, they’re releasing all this software and they have no experience with software. That software will be buggy — it’s hard to write software even if you know what you’re doing. So there’s this landscape of vulnerabilities out there.
So the first thing to think about is, do I even need all of these devices in my environment? And second, how do I minimize what that device needs to access? In a lot of cases, these devices are configured to do all sorts of things, and you may need only a fraction of those things carried out to solve a problem. So think about that principle of least privilege. How do I ensure that my devices aren’t doing more than they need to be doing?
Third, remember that today’s IoT devices are often not attacked for their own sake but because they can be used to launch other attacks. We saw this, for example, with the Mirai botnet, where all these Wi-Fi baby cameras were compromised in order to use them as a launchpad against major websites, which were attacked with denial-of-service attacks.
BIZTECH: What else do SMBs need to know about modern security?
RAMZAN: When you think about IoT, it’s not just the Internet of Things — it’s the Identity of Things. Each of these devices may have an identity associated with it. It may take an action on behalf of someone; we’re starting to blur the lines between the person and the device. Artificial intelligence has the ability to start emulating human behaviors, which means that we’re going to see devices taking action on the part of people where the people may not have initiated the action. In a world like that, identity management becomes much more critical.
We’re spending a lot of time thinking about how to ensure that your identity management program extends not just to physical human beings but ultimately to the device level, where devices can take action on your behalf.
For more, check out all of BizTech's coverage of Dell Technologies World 2018 here.