The biggest security story of 2010 is the WikiLeaks posting of diplomatic cables that rocked the U.S. government -- more than once. The document leaks shed a blinding light on
data security at a whole new level. But what can small and midsize businesses (SMBs) learn from the security fiasco? Plenty.
Similar to enterprise policy, SMBs should build best practices around measuring and monitoring who accesses their data and deny access based on rules, said Justin Strong, a product marketing manager at Novell. Data encryption and an automated way to enforce encryption when dealing with USB flash drives and other removable storage devices are the key to avoiding this type of leak.
"It is extremely important to educate employees on the dangers of RSDs -- Removable Storage Devices. Never use an unknown USB stick or other form of removable media --these can frequently have malware on them," Strong said. "Second, costs, which are top of mind with all SMBs, shouldn't prevent you from implementing a basic set of security policies. Even baseline solutions can go a long way."
Information Security Matters
Oliver Lavery, director of security research and development for nCircle, said the main lesson for every business in this mess is that information security matters. The government and many of the companies that are opposing WikiLeaks are just shooting the messenger, he said.
"The problem isn't WikiLeaks at all, and shutting them down is pointless. Once the information had been (taken by users), they could have uploaded it to BitTorrent, or any number of other online forums. The problem is that there was a systemic failure to protect information that was classified as secret," Lavery said. "Don't make the same mistake with critical data inside your organization. Once the information has been (taken), you have lost control and it can be made public in any number of forums, not just WikiLeaks."
Lavery said every IT team should take a hard look at where business-critical information is on a network and at the security measures being taken to protect it. It's not enough to have good tools and policies; they have to be enforced.
Do We Trust Staff Too Much?
As Ken Ammon, chief strategy officer at Xceedium, sees it, it's critical that SMBs look at the fundamental issue, which is that in most organizations trust is granted to staff, allowing them access to mass amounts of an organization's most sensitive data. And, he added, the adoption of mobile and cloud computing pave the way for trusted staff to transfer and share data on the Internet.
"We have yet to get ahead of the problem of a capable, motivated attacker who in some cases is sponsored by foreign governments. Today, we're all talking about what happened with WikiLeaks and many are focusing on the 'Wiki' and not the 'Leaks,'" Ammon said. "And while providers have shown good faith by shunning DNS and hosting services to the WikiLeaks site, what will follow is a game of Whac-A-Mole."
Ammon suggested a paradigm shift. Companies should still aim to establish trust -- with background investigations and such -- when they engage with partners, employees and others. But organizations can no longer extend that level of trust to things as powerful as information systems and technology, and in particular those trusted to administer and manage these platforms.
"At a minimum, organizations should tackle high-risk challenges posed by well-understood threats that are easy to solve -- like controlling administrator and privileged access to data and systems with today's existing technologies that are not prohibitively expensive," Ammon said.
"In fact, a proper privilege-management platform designed to control, contain and audit access to assets and systems needed to perform one's job could have prevented the WikiLeaks leak. WikiLeaks is only the tip of the iceberg in terms of the trust and access issue having the potential to cause more damage without action to create a zero-trust information technology environment."