SMBs: We don't want to spoil all of this article, but have you patched, taken away admin rights, made backups yet? Recent headlines have been full of IT security breaches at major corporations, such as the theft of customer data from British Airways in September 2018. Yet, smaller companies should not believe that they fly beneath the radar of attackers. The Small Business Cyber Risk Report [PDF] from insurance firm Hiscox found that 47 …
The problem with SMBs is in the name: Small. They employ just a handful of people, none of which are employed solely to do IT. You'll probably find the person who does IT is the one who is the least hating of IT.
In the ivory towers of professional IT, we can mock all we want. But is it the fault of the SMBs in not taking IT seriously, or the IT market of making things just too darn complicated?
but I doubt things can really be a lot more simpler than they now are.
Well, one could simply unplug the cable connecting their computers to their ISP, fill the port the cable plugs into with quick setting epoxy, and go back to using paper and voice lines for communicating with banks and such. That's old fashioned and quite unstylish as well as genuinely impossible for many businesses. But where it is feasible it dramatically shrinks the attack surface, moots concerns about OS vendor spying, and obviates the need for and risks of dealing with continual questionably well tested OS updates.
The problem as I perceive it is that Computer security for the past two decades has been a Red Queen's race. Run as fast as you can just to stay even. Participating in a red queens race generally is a poor idea if one can opt to sit back and watch. I see no sign that any real progress is being made. If anything, things seem to be getting worse although that might be an artifact of recent laws requiring disclosure of computer breaches in a timely manner.
When (if) things actually look up, it'll be easy enough to harden your system then rejoin the connected world. If you choose to. And note the order. It's important. Harden first. Then connect.
I await the inevitable flood of downvotes. I would point out to the downvoters that if you folks knew what you were talking about, we probably wouldn't be having this discussion.
Nope, I don't buy that excuse... I've been an IT Manager in SME's for 15 years, I've had several roles where the predecessor could not deal with these issues. But in reality they are the basics of modern IT.
I would stress, this is usually a problem of the company's own making, they recruit a PFY or promote the "office junior" to the IT position, but then fail to provide support, training or a mentor. This person communicates in "IT" lingo, not business and so doesn't know how to communicate, when asking for budget they'll push the IT agenda, rather than spinning the business/productivity benefits.
Also, there are plenty of tools out there for SME's to use for patching... Go checkout DesktopCentral, its cheap, easy to install and manage, you could install and deploy it to the whole company in 1-2 hours. It shows you what updates are needed, which it will then automatically go off and download, and install at a scheduled time, it will patch Windows, Macs, Linux and the most common 3rd party applications - straight out of the box, it can not get any easier than that!
I expect a major factor in this is that it depends very much on the willingness of leadership to hire the right kind of infrastructure support and then actually listen when they point out the weaknesses--because when the CEO of a major national retail chain is said to have replied to warnings with "we sell hammers", then there is faction in the corporate culture that is really doing leadership wrong. Yeah, those of us in the trenches are really never going to forget that one.
PHB: "what? you want me to spend $800 a year on some software to manage software? I just spent $1000 on a brand new server for you five years ago and now you want to blow more money? Do you have any idea how many widgets we need to sell to make $800?"
(on a serious note, thanks for the pointer to DesktopCentral, it might be a good fit for us, since we're small enough for the free edition for now!)
when I saw SMB in the title, I was thinking "Samba" or windows networking in general.
OK so "yet another TLA" re-purposed to "yet another definition" on top of the others, even within the same technical realm, just to make things even MORE confusing.
That being said, removing 'admin' access on SMB shares is a *GOOD* thing. Here's what _I_ like to do:
a) host SMB shares on Linux or FreeBSD servers. Make them READ-ONLY via Samba's config.
a.1) alternately do that with a LAN-only web server, so people can view the files via https
b) to update a file on an SMB share like described in 'a', use scp or rsync [preferably from within Cygwin]. A script to do this somewhat automatically (to sync local to remove storage) would help.
b.1) similarly, a "put file" transaction via a web server to add/update or even remove a file, which is less secure but would require an actual login and, perhaps, more easily support transaction-based updates.
c) if that's too difficult for people to work with, IT can wrap a UI around it with a scripting language of some kind.
d) set up transaction-based backups for really important files, so you can revert them easily. Do *NOT* allow access to the backup directories outside of the server's management, and do NOT use a windows machine for the backup!
A properly set up network COULD do things LIKE this, and users aren't "too dumb" to follow some proper procedures with respect to important data. Yeah it requires some IT effort but there ya go.
[other similar kinds of things could be done, too, just saying what _I_ would do]
O365 uses the same business model as all the other cloud services, which is to get you to sign up for as many of their services as possible--regardless of whether they would all be acceptable for a particular customer's security needs, such as the remote desktop features of many meeting and communication apps. And, once a customer has been strong armed into allowing something dangerous, there's no way to control it. So, whatever anybody says about being able to secure cloud services, these big cloud-service bundles are more in the interest of Microsoft and other cloud-service providers that want to stop selling software and move everybody to a forced subscription model are not in the interest of the very variable security needs of individual enterprises.
(BTW, SME also stands for "subject matter expert". After all, we are now in an age when acronym collisions are inevitable.)
In my experience, SME is fairly new to the UK. It was prevalent in the US where SMB was the UK equivalent. Over the last 10? 15? years, it's now become more widely used.
Same goes for Chairman/Managing Director/Finance Director/IT Director type titles being replaced with US style designations (CxO).
More often than not the patches cause more headaches than they solve. Many times I have done a 'just released' patch and has forced me to roll back a VM. Worst case one was early 2017 when the update fully killed Exchange 2016 on reboot (I wasn't alone). All services failed to start and had to take it back to the snapshot. Now I only update that server once I have a fully tested patch on a lab backup and then only after a few weeks has passed.
Going gung ho on patches is very risky these days.
Most smaller businesses simply don't want to put up the money for an IT professional. I have seen many go with MSP's that take no ownership of IT health and security. As long as they get that check and put the right wording in the contract, it doesn't matter to them one bit.
Another plan I have seen in place is offloading IT infrastructure to the one web developer hired to make the online presence. Usually somebody fresh out of college or boot camp that barely has time for the web development projects piling up.
What I do not see much of is business schools and colleges teaching just how crucial IT is to the foundation of a business these days. Sure, they make sure students know the importance of online commerce. However, I do not hear the lesson on what happens when your internal systems are hacked or just go down, be it the network, billing software, ordering system, etc., , causing loss of client confidence or costly contract violations. How many businesses end up closing shop when all they needed was one competent IT person.
You have a point about admin access, however, when your company is involved in developing software, that is hard even for large scale organisations to avoid. Most installs of software in such a closed down environment are done on a white list basis using signatures. If you are developing desktop software and need to create an installer or test an installer or run any other software that is unexpected as far as signatures are concerned because you wrote it yourself, then result is usually they give you admin access, anything else prevents you being productive.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
