Small businesses have different requirements for managing IT than larger enterprises. Often, the critical areas...
of IT -- including the Microsoft Exchange messaging environment -- aren't paid enough attention. Those in charge may not have the proper experience or tools to ensure its security.
If you work for a small business that uses Microsoft Exchange -- on-premises or in the cloud -- there are several areas of security that are unique to these environments.
Here are three areas where you can ensure that Exchange security is kept in check:
1) Resources. Many small businesses manage their own Exchange environments, sometimes even without the expertise of an IT professional -- either in-house staff or a consultant. This can generate significant cost savings, but not pay off so much in terms of system resiliency and responsiveness in an outage or when a security incident occurs. In many situations, the available IT expertise doesn't translate into security proficiency for a small business deployment.
It can be argued that small businesses are off the radar of attackers, but if an Exchange environment is available on the Internet, then it's fair game for denial of service attacks, remote exploits and other security-related incidents. Such incidents can take Exchange offline for an extended period of time, or facilitate a breach or total loss of the system.
2) Maintenance. A well-maintained Microsoft Exchange environment can withstand many types of attacks. However, I often see older Exchange systems, e.g., Exchange 2007, that are not being patched, have never been properly hardened or have gaps in the data backup process.
Many small businesses operate in an "if it isn't broken, don't fix it" mode. A commendable approach for noncritical systems of days past, but it's unrealistic today, given the threats and vulnerabilities introduced by a publicly accessible email system -- a system used by people who are often not trained and can make mistakes on a critical application -- which can leave long-lasting effects on the business.
3) Visibility. Although most small businesses' IT staffers have network simplicity compared to their larger counterparts, it's rare to see such an environment where the person in charge of management knows exactly what's happening within the system at any given time. This can be related to lack of expertise, but it's due to lack of information -- the tools required to detect, prevent or reasonably respond to security anomalies and attacks, such as system monitoring and alerting, intrusion prevention, data loss prevention and mobile device management.
Ensure Exchange security in small businesses
The last thing any business needs -- especially a small one -- is a breach of the messaging environment that could have been prevented with the proper information and oversight.
To confirm Exchange is not creating any unnecessary small business security risks, first determine where the risks are, including system hardening, maintenance and antimalware that you manage or outsource. This requires a security vulnerability assessment, ideally by a third party that has an unbiased perspective. Be sure to check for the many commonly overlooked Exchange flaws.
Resolve the risks by applying necessary policies and procedures that are, in turn, enforced by the appropriate technologies, such as email security gateways and data loss prevention. Policies should address passwords, patching, system monitoring, backups and other security concerns. A well-written policy, along with specific procedures, states what and how your small organization addresses security concerns. Include ongoing daily, weekly and monthly maintenance as part of this as well.
Small businesses have just as much to lose as larger enterprises in terms of data breaches, legal issues and trust and credibility among customers and business partners. Keep these issues on your radar and in check.
All internal IT staff members need appropriate training. This could be in the form of Microsoft-specific classes, security webcasts, seminars and conferences such as RSA Conference and Black Hat. Remember to train your users on what to do and what not to do based on your policies.
Small businesses should also consider having an Exchange and information security professional on call. You won't have to rely on Internet searches for help when you're in a bind.
If you're cognizant of these Exchange security issues in small businesses and make the investment to shore up the weaknesses, you can have large enterprise-level security. Most importantly, you have the assurance that the viability of your small business is not hinging on one of these security oversights.
About the author:
Kevin Beaver is an information security consultant, expert witness, and professional speaker with Principle Logic LLC, based in Atlanta. With over 26 years of experience in the industry, Beaver specializes in performing independent security assessments and penetration tests revolving around information risk management. He has authored/co-authored 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com and you can follow him on Twitter, watch him on YouTube and connect with him on LinkedIn.
Applicable techniques for small business security
Six security questions you should ask about Exchange
What to know about small-business cybersecurity