5 Steps To Stronger SMB Application Security

  /     /     /  
Publicated : 22/11/2024   Category : security


5 Steps To Stronger SMB Application Security


How one never-breached, midmarket retailer avoids the too-small-to-be-secure mindset in favor of Fortune 500-grade threat prevention.



9 Startups To Watch In 2012 (click image for larger view and for slideshow)
Small and midsize businesses (SMBs) have a litany of excuses at their disposal for spotty security practices, with slim budgets and IT departments leading the list. Those two, in particular, are valid reasons. You can either cave to them, or secure your companys assets anyway.
Bobs Stores
chose the latter for its approach to application security. The midsize, regional retail chain employs roughly 650 people; suffice it to say the lions share of the staff works on something other than application security.
IT is very light, said Yaron Baitch, director of IT and information security at Bobs Stores. In an interview, Baitch outlined how Bobs Stores ensures top-notch security for both its internal employee and external customer applications, in spite of limited resources.
[ The new Internet protocol is coming--are you ready? See
3 Ways For SMBs To Plug IPv6 Security Holes
. ]
He shared a panel on the topic last week at the
RSA Security Conference
. Its a fairly straightforward recipe grounded in an organizational understanding that the companys bottom-line health is at stake. And it works: Bobs Stores has never had a breach. Baitch half-jokes that acknowledging this fact makes his company a juicier target for hackers. Dark humor aside, that speaks to a
basic security
mistake many SMBs still make: Thinking no one would bother with their small business.
Heres how Bobs Stores sidesteps that myth in favor of secure applications.
1. Security Is A State Of Mind
That basic level of awareness is a must--not just for IT, but for each and every person in the organization, regardless of their job description. This is the step that sounds easy, yet gets bypassed on a regular basis. Security is everybodys responsibility, Baitch said. That mindset should extend to vendor-built applications, too; Baitch points out that if theres a security breach, your customers will associate it with your brand, not with a backend developer. Making sure everyones playing on the same page is critical, Baitch said.
2. Let Your Pain Points Make Your Business Case
Baitch considers it good fortune that his company must adhere to
Payment Card Industry
(PCI) standards. Ill repeat that: Baitch is glad he has to deal with PCI, even though he doesnt have the compliance budget of much larger retailers that operate under the exact same rules. Hes not insane; hes pragmatic. PCI essentially makes Baitchs business case for him when he explains the importance of
security
to executives and other stakeholders. If your company contends with heavy compliance burdens, use those to prove your security case to the rest of the business. Still, Baitch acknowledges its not always easy. Negotiation with the business is key--if you arent so fortunate to deal with a regulatory quagmire, come up with a different set of reasons and priorities that non-technical people can understand and buy into.
3. Know Your Strengths And Weaknesses
Dont shy away from your natural limits. You dont have Googles gazillions; you cant spend your way past every business challenge. Boo-hoo: Double-down on your strengths and shine an equal spotlight on the skills that are lacking. Doing so will help you identify where it makes sense to allocate your finite budget. An example: Baitch is thoroughly impressed by his small internal development team and credits them with excellent custom-built applications. But ensuring that each line of the code behind those applications is secure isnt necessarily a strong suit. They dont have the holistic view of security in mind, Baitch said. So Bobs Stores enlists a third party,
Veracode
, to test its applications for potential security holes.
4. Outsource Your Weaknesses
If Baitch had to start over, one thing hed do differently would be to embrace outside help earlier. It can run counter to the do-it-yourself ethos common among many SMBs. It can also require letting go of some ego. But outsourcing your skill shortages can turn them into strengths. Leveraging third-party tools from the beginning would probably be the number one thing I would have changed, as opposed to having a learn-on-the-job type thing for developers, Baitch said.
5. Know Your Endgame
Baitch is quick to point out that no two companies are quite alike. Therefore, theres no set of security goals that can be applied uniformly to every SMB. Define what you need to secure and why--then pursue those goals with gusto. PCI compliance was the headliner for Bobs Stores. Your SMBs list might look entirely different. Having clear goals helps reinforce step one--that organizational mindset that understands there are a real reasons for doing X, Y, and Z, rather than considering those variable practices a waste of time. The endgame has to have everyone on the same page, Baitch said. Its your job to implement. How you implement is completely up to you, as long as you meet that end result.
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud. In our
Cloud Security
report, we explain the risks and guide you in setting appropriate cloud security policies, processes, and controls. (Free registration required.)

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security

▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security

▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
5 Steps To Stronger SMB Application Security