Small businesses face a unique challenge when it comes to IT security: They're expected to meet enterprise standards for handling data, but on a shoestring budget and with razor-thin profit margins. And since many smaller companies can't afford to design and build apps in-house, they're forced to rely on an application ecosystem that's dominated by potentially insecure third-party programs. Is true IT security for small business possible — or is it just a pipe dream?
The Small-Business Problem
According to the National Cyber Security Alliance (NCSA), smaller companies are at serious risk when it comes to cybersecurity breaches. While 66 percent say they're "not concerned" about external or internal theats, the NCSA found that 60 percent of small businesses hit by cyberattacks closed within six months. As noted by Norman Balchunas of Drexel University's Cybersecurity Institute in a recent Philly.com article, there are several reasons cybersecurity isn't "top of mind" for smaller companies. For some, it's the need to push out new applications or services as quickly as possible — security gets shelved in the interest of profit. Other, older businesses are "not Internet-savvy and have not been overly concerned about their data." In both cases, however, there's an even larger problem: With minimal IT staff, it's often impossible to afford the kind of enterprise-grade IT security that's required to keep applications bug-free.
SafeCODE recently released a guide to assessing the security of acquired software and described several approaches for companies of differing sizes. Ideally, businesses should ensure that any applications they use conform to ISO/IEC 27034 and IEC/ISA-62443 standards, which provide long-term guidance for secure app development and management. This kind of strict testing regimen, however, comes with a hefty price tag that only enterprises and dedicated technology firms can afford.
Another option is seeking out security artifacts as a way to assess applications' maturity and safety. These include public documentation about secure development processes or vulnerability response along with published guides to properly configure app security. While this is a more cost-effective approach to IT security for small business, it lacks the kind of active mitigation many companies want from a security solution.
SafeCODE suggests a third approach which involves the use of testing solutions, such as binary analysis, that can identify critical vulnerabilities regardless of developer or application type, and without requiring access to source code. These solutions are far less costly than full enterprise app-security deployment, though they do require that companies identify a trusted vendor for implementation. Used before deploying third-party apps or as tests of in-house developments before they're deployed, binary testing can quickly uncover coding errors and omissions. In addition, since the process is automated, in-house IT can worry about results rather than execution. Ultimately, a little spend here saves a lot in the long run, since apps can be avoided or updated as needed to minimize IT attack surfaces.
Small businesses can't afford the same level of IT security as enterprises, but that doesn't mean they have to be easy targets for hackers. Investment in affordable tools from reliable vendors can improve overall protection without putting companies in the poorhouse — and shift AppSec from pipe dream to reality.
Photo Source: Flickr