Small companies ignorant of security?

["Gary Funck" <gary () intrepid com>]

And big companies aren't?  Look at how many data
breeches there have been at very large companies
and government institutions.

The author makes the following points (my comments
are marked by REPLY:):

1) Ninety percent of small businesses and consumers install antivirus, but
10 percent never update the software's signatures. Schmitt
goes on to say:

"SMEs (small and midsized enterprises) are not aware of being a potential
victim--spending 40 pounds per year on antivirus is not a high priority,"

REPLY: There are a few problems here.  First, why is the OS and
the application infrastructure so vulnerable to viruses?
Could proper security and authorization policies eliminate
the need for antivirus entirely?

The author's claim of 40 pounds per year for antivrius
software should read:
"40 pounds per workstation and personal computer per year"

Including the admin. costs, that stacks up to quite
a bit of money.  Perhaps roughly 100 BP, or approx. $200 USD/year
per employee? 

And, what percentage of data breeches, and/or
service outages have been attributed to virus versus other
attack vectors?

2) The author seems to focus on P2P programs as a primary
weak link in the security infrastructure:

Schmitt says: "Individuals working on peer-to-peer networks often don't
realize they're sharing the whole contents of their drive. You can find
Homeland Security vulnerability assessment documents online from employees
(using P2P)."

REPLY: If the security policies on computers that
connect to the network were sufficiently restrictive, the
users would not be able to install P2P programs, or modify
the firewall filter to open up P2P ports.

3) Schmitt's solution:

"Eventually, we'll move to a model of software as a service, with a low-cost
environment of managed security services," he said.

REPLY: Eh? How does a "managed security service" fix the
problems mentioned above, and others mentioned in the article.


URL:
http://news.zdnet.com/2100-1009_22-6137381.html

Small companies ignorant of security?
11 / 20 / 06   |   

Small businesses must become more aware that they are the potential victims
of cybercrime, former White House security adviser Howard Schmidt has urged.


Speaking at an IT security event at London's House of Lords on Monday,
Schmidt said all businesses are at risk through a lack of proper
configuration of security equipment, or through not taking proper security
precautions. 
[...]
Schmidt is on the board of directors for Fortify, which sells source code
analysis tools.

Tom Espiner of ZDNet UK reported from London.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.