KEY POINTS:
With few small businesses possessing a 360-degree view of their IT security needs, software developers like Microsoft have started to develop software with security features embedded in core design.
Not only does this help reduce the number of software security issues faced by businesses, it results in fewer
headaches for software developers, who must plug, patch and fix known security vulnerabilities as they occur in each product.
The not-insignificant cost of this means today's developers prefer to 'lock down' security vulnerabilities within their software at the time of shipping, rather than trust businesses to do it later.
"Any defence [technology] that arrives turned off by default is not defence. When you have 200 million users you need to be very pragmatic about where the slides go between security and usability," says Michael Howard, principle security program manager for Microsoft Corporation.
Speaking in Seattle in May, Howard described Microsoft's 'Security Development Lifecycle' an end-to-end approach to security which sees Microsoft locking down vulnerabilities from the 'blueprint' stage of software development.
For Microsoft and others, the desire to deeply embed security technologies in software products is warranted.
Gone are the days when viruses and other malware were developed mainly to bring notoriety to the creator - today's data security threats are more subtle, more damaging, and designed to make money for organised crime groups.
Examples include email campaigns that attempt to fool the recipient into revealing personal details which can be later used to access secure information or services, and the installation of 'key logger' software so keystrokes can be read and passwords and other information deciphered.
Network and application vulnerabilities can allow an external "hacker" into the business to obtain information which can be later sold, or more commonly that allows internal staff access to information they shouldn't have access to. When the latter happens, data can be intentionally or unintentionally tampered with, or widely distributed when it shouldn't be.
The main issue facing many New Zealand businesses is that they typically have no idea when or how such security breaches occur across their networks. Most believe a network equipped with antivirus software and a firewall is protected.
However, these technologies may fail to prevent unauthorised wireless access, user behaviour that compromises security, or criminal attempts to gain information via 'social engineering' (sophisticated attempts to win people's trust via personal meetings, email messaging or online sites).
Nor do installed security products achieve even basic protection if they are not configured properly and kept up to date.
In May, data security firm Symantec surveyed 301 Australian and 73 New Zealand businesses across a range of industry sectors, each with a minimum of five networked computers.
While 75 per cent of New Zealand businesses said they had a policy to guide staff on internet security practices, 44 per cent acknowledged their networks had been affected by a virus or other security threat in the past 12 months - and that's only the ones the business knew about.
Considering the impact of lost or corrupted business data, or of failing to comply with regulatory requirements to keep data secure, what can a business without dedicated data security people do? How can directors and managers keep up to date with the myriad of security technologies and guard areas of vulnerability that occur across the business?
In 2007, the answer may be to give up trying and instead engage a third party able to offer a range of managed security services. These include providing an analysis of the current security risks faced by the business and developing a plan that holistically addresses them using security technologies, user policies, and ongoing monitoring, reporting and recommendation.
Once the domain of large businesses, managed security services probably make more sense for smaller companies that don't employ dedicated IT managers. Such services are also available for smaller business - many of the resellers of major security brands are trained to provide the necessary consulting and managed services businesses require.
The benefits of using a managed security service is something small businesses in countries like Australia, the US and the UK cottoned onto a while ago.
In comparison, New Zealand small businesses continue to buy security technologies either from a consumer electronics store, or online, and then attempt their own product configuration and monitoring.
This DIY approach is partly cultural, but is also due to the tendency of security software developers to market 'off the shelf' products to small businesses as well as consumers to increase software sales volumes. Small businesses awake to the true nature of data security threats and identity theft around the world will shun this approach and pick up the phone.
