This week, Microsoft announced that its Advanced Notification Service (ANS) will be made available only to premium clients—to me, this is just wrong.
ANS is widely used by companies to analyze the upcoming releases and to assess how to handle the update process, such as scheduling extra service windows and test planning. With the volume of security fixes being issued every month, this whole process is not without importance. Sure, Microsoft’s biggest clients are premium already, sizes just below also; medium size companies can probably afford to become it, but I doubt that 100 employee-with-one-or-two-FTE-ITstaff-companies can.
And yes, companies like that do exist and are probably more numerous than you think. These are the types of companies that have very little knowledge of security, or resources, to begin with and many depend on the ANS for knowledge about what’s happening.
From my point of view, we need to do more to educate companies in general on how to do security right. Recently, we’ve seen big corporations like Target, Yahoo and others finally appoint a CISO, which should make it a rather simple conjecture for you, the reader, to figure out how small companies do security.
Even inside the #Infosec echo chamber of Twitter, defending a company isn’t something people can agree upon but at least the awareness is there. However, outside the companies that attend the circus-of-conferences each year in the US, reality is something entirely else. I still regularly meet people who’re surprised when I tell them that AV isn’t enough. I also am often faced with the follow-up question: What should we buy?
One thing that seems to resonate within the #Infosec twitterati, with the exception of vendors, is that we need to do the basics right before we go out and buy new counter measures. Training, mastering what you got, and building upon this beats buying today’s hottest silver bullet (which isn’t) anytime.
Microsoft should have gone this way instead. I think Microsoft should’ve used their (probably) upcoming switch from licensing to services revenues to use their existing channels to push security education and awareness.
Below are suggestions for building on top of ANS I believe Microsoft should’ve considered:
- Offer free security education and training for all existing clients at every location, globally, such as daily walk-in classes in all/selected locations open also for non-clients.
- Have Account Managers reach out to all existing clients, especially small-medium-sized clients with the message: “Attend this classroom security awareness training or we’ll come to you and do it.” Then, follow up and make sure all get through this.
- Expand on this initial offering with a free massive online education program covering Information Security.
- Include free training/awareness campaigns with each ANS release.
- Offer low-cost managed security services for small companies.
- Work with, as an example, Tripwire to offer free or low budget security scanning and improvement suggestions for small companies.
- Work with research and educational institutions to improve the quality of students ever after.
It doesn’t really matter if the above suggestions are perfectly valid or not. The point I’m trying to make here is that to raise the overall level of security, we need to stop worrying about only Target-size corporations. In fact, they should be worrying about themselves. We need to consider ways to reach the small companies and up, whom even to this date have very little clue about how to improve their level of security.
We need to identify and pursue channels that can reach outside of the traditional echo chambers. I think that by increasing the level of security in a lot of small companies, this will impact the world a whole lot more than to sell silver-bullet solutions to Fortune-500s.
About the Author: Claus Cramon Houmann is addicted to everything Infosec and is trying to contribute to the community by adding a “defending SMB’s in today’s evolving threat environment” POV. Claus currently runs an IT Consulting company plus works as Head of IT for a bank in Luxembourg. Claus previously worked in the IT outsourcing industry for many years.
Claus is acutely aware of the need to improve lingo and understanding of Information Security and all the issues and challenges this involves and has been working for many years to improve his own lacking communication skills in this regard. Claus actively supports initiatives that aim to improve security for us all, most notably the iamtheCavalry movement and The Analogies project, which he hopes to help spread to Europe/Globally. Claus runs a security twitter feed of aggregated infosec news and events which he mostly uses to learn more personally. Claus is an active blogger, blogging for Information Security Buzz and Peerlyst.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.