Security today begins at the endpoints
Imagine you knew someone was planning to break into your house. Now imagine that an attempted break-in would take place 60,000 times every day. That’s the number of times the average midsized company's IT infrastructure is attacked. On a smarter planet where we constantly interact with data and one another via mobile devices and laptops, we need security measures that protect those endpoints and the systems they access.
Large enterprises have large IT departments with dedicated teams focused solely on addressing security concerns. In contrast, midsized businesses often must address the same concerns with limited budgets and a handful of multi-tasking individuals. How can they meet the challenge?
According to Kimber Spradlin, Endpoint Management and Security Product Specialist at IBM, the first step is a basic shift in philosophy that applies to all businesses. "Secure the endpoint, and do not worry about what your firewall is doing. You cannot rely on your firewall anymore."
A shift away from firewalls
This approach is particularly important given the growing number of employee-owned devices in use in midsized businesses, notably smart phones and tablet PCs. These days, employees tend to use their own devices to access e-mail and files, work on documents, and even conduct meetings. "Employees aren't as careful with these devices, the kinds of websites they access, the kinds of applications they download," says Spradlin. "They're downloading apps to entertain kids at the dinner table, and these are the same devices they're using to access the corporate network."
The danger of carelessness is exacerbated by the growing sophistication and pervasiveness of malware. "I think many medium and small sized businesses are surprised by being targeted by malware and various theft and blackmail attempts," says Spradlin. "It's thought that this only happens to large organizations, or companies with very public brand names like your retail organizations. But it's really spreading throughout all kinds of businesses, through various scans and bots and what have you. These criminals are not picky."
Another security problem in a world where everyone is interconnected is the management of remote employees, who may be dispersed across multiple locations. "We talk to customers that only have two or three hundred employees, and yet they're scattered in 40 or 50 different locations, most of them working from home off of Internet-based connections. They're not necessarily connecting to a corporate VPN, because a lot of the applications and business tools that they're using are cloud-based."
Patch management is crucial
Given workforce mobility and cloud-based applications, it can be weeks before some devices are re-connected to the corporate network. Clearly, weeks are way too long to delay any kind of compliance assessments, or patch updates.
In fact, patch management is one of the most important tasks IT departments must tend to in order to secure the growing number of mobile endpoints. Fortunately, there is now technology that can operate at any scale, large or small, to meet this challenge.
Spradlin relates that when IBM implemented its newly-acquired BigFix technology it was able to reduce the patch cycle to about 24 hours, which in turn lowered the security incident rate by over 80 percent. "I think that really demonstrates how patch management is the foundation underneath endpoint security, and that having good, fast, accurate patching is necessary at the distributed endpoint level, not just at servers that deal with financial data or personal data.
She emphasizes that this technology works equally well for much smaller companies. "You can imagine scaling it down to a company with an IT staff of maybe five people. If companies that size can eliminate or nearly eliminate cleaning up infected machines and dealing with security incidents, the staff could be working on activities to further the business."
And much of the patch management process can be automated. This includes collecting and packaging the patches, testing them against a "canary group" of machines to make sure they won't cause problems, and rolling them out to the entire environment with multiple convenience features such as warning users that a patch is about to be installed, allowing them to delay rebooting their computers if they're working on something.
Multiple attacks on multiple platforms
While patch management is indeed critical, Spradlin warns against using free patch management tools supplied by vendors. In recent years, the use of alternative OS platforms has grown among midsized businesses. The Linux and Macintosh platforms are both on the rise, and Android, IOS and Google Chrome are likely to follow. "Small to medium size businesses that used to be primarily Windows shops could rely on a certain set of tools that were Windows-only," says Spradlin. "They are now struggling to make sure that they have IT competency across other platforms, and are having to look at tools that cover those other platforms as well." She cites Microsoft's WSUS service as an example. While certainly adequate for an all-Microsoft environment, "it does not cover any of the third-party applications, and those are becoming even more critical. We're seeing many, many more malware exploits directed at Apple products, Adobe, Firefox and Java."
The main problem with a OS or application vendor solution, says Spradlin, is that it "gives you no enterprise visibility into whether or not those patches are truly applied. It does not enforce the patches. Plus it doesn't provide the level of reporting and deployment control most organizations need today. And each update service only covers that vendor's activity, so you're going to end up with gaps."
Whatever solution a company may choose, Spradlin advises, "The most important element to all of this is visibility. Knowing exactly what is connected to your network, what software is installed, who has access to what, what kind of data your organization stores, and where you store it."
Two tenets of cost management
The challenge of gaining this level of visibility while providing endpoint security and related patch management can be daunting to companies with limited resources. Spradlin recommends two strategies for managing patches efficiently and economically. The first is vendor consolidation. "The fewer the vendors that you're dealing with from an endpoint management and security perspective, the less infrastructure, the fewer number of endpoint agents – all of that will combine to lower your costs through longer hardware refresh cycles, less time spent calling support lines, less money spent on software licenses and on hardware to run those management tools. It's a lot more than just the software license alone."
The second strategy is prioritization. Businesses that collect sensitive financial or health-related data, for example, need to evaluate whether they apply tight security across the entire environment or only to systems that deal with sensitive data that requires strong protection.
As mobility and the interconnectedness of people and data continues to increase, so do the business opportunities, but the risks are growing as well. With the right endpoint security tools and policies in place, midsized businesses can protect themselves from the increasingly sophisticated threats and intrusions, and fully capitalize on their opportunity to become the engines of a smarter planet.