Security is SMEs' biggest IT worry, according to the
Computer Weekly/BT SME ICT Audit. The threat is real, but there are
technological and management defences, as Helen Beckett
reports
The SME nation is under siege to malicious hackers and a spate
of computer viruses and trojans. This is a key finding of the
latest Computer Weekly/BT SME ICT Audit, which shows that security
remains the single biggest concern on the owners' radar.
Even more alarmingly, this perception of threat is found to be
entirely justified: in the month before the research was conducted,
27% of SMEs surveyed had been attacked by viruses or hackers. This
figure fell to 24% and 18% when the question was asked about the
previous six months and one year ago respectively, so the picture
is one of spiralling security breaches.
Not surprisingly, those companies without an IT department are hit
the hardest.
SMEs, typically constrained by cash-flow and a lack of specialist
IT knowledge, are in a tight corner in this climate of threat.
"Imagine where the SME sits on this. They want to get on and use IT
like a car, or any other tool. But each time they use it they think
it might crash at any minute," says Peter Scargill, IT chairman of
the Federation of Small Businesses (FSB).
Ben Booth, chairman of the Elite Group of the British Computer
Society, has witnessed this at first hand. "Viruses are hitting
smaller businesses more. They often have no infrastructure in place
and are not properly prepared," he says.
Against this backdrop of escalating security threats, however, is a
corresponding increase in the level of awareness, according to many
experts who deal regularly with small and medium-sized companies.
Businesses realise that their survival requires them to think and
act.
Eric Thornes of consultancy Etanda, which specialises in internet
security products for smaller companies, says that the amount of
unwanted e-mail monitored by his company is four times greater than
it was a year ago. But during that time it has also become cheaper
and simpler to deal with the problem. "Everyone is dealing with the
same problem and many people have experienced wasting a day through
scraping a virus out of the bottom of a PC," says Thornes.
The first step is to get all employees to sign a policy agreement
on e-mail and internet usage. After that it is a question of
preventing dangerous material coming in from the outside world,
whether that be e-mail virus, spam, or unsavoury content.
Equally important is detecting dodgy e-mails being sent out from
within the company, which may expose an employer to legal
liability, says Jamie Cowper, head of channel for EMEA at messaging
security specialist Mirapoint. For example, financial services
companies are not allowed to use the word "guarantee", so this can
be detected and filtered out of e-mails.
Filtering and blocking boxes that sit online and dial up to the
provider's control centre for virus updates and patches can be
bought. For the company with between 50 and 100 employees and a
generalist IT manager, this is a workable solution. "You can leave
it and forget it. It only screams if you have a problem," says
Cowper. Companies with no in-house knowledge or resources may
decide it makes sense to outsource security instead.
Whichever method is selected, the onus to instigate protection
within an SME remains firmly on the owner. "If they are not
concerned then no one else is. The owner controls spending and has
to protect IT. If they do not, it is money down the plughole," says
Thornes. Worse still is the risk of business failure. Many
companies which have a total system failure go out of business,
according to the FSB.
Within the financial sector, compliance is a further driver for
businesses to review their security capabilities, according to
Emlyn Everitt, senior security consultant with Logicalis. "The
Turnbull Report was a watershed which provided companies in the UK
with guidelines about how to protect and report on controls of
their financial assets," he says.
Companies which employ basic risk mitigation for SMEs by
implementing firewalls, virus scanning and e-mail filtering have
80% of the ground covered. But intrusion detection is one aspect
that gets overlooked, says Everitt.
This view is supported by the findings of NCC Group which, among
its many activities on behalf of users provides ethical hacking, or
penetration testing services. Almost half the systems NCC
Group tests for customers can be broken into from the internet. And
given that companies seeking advice have, by default, a greater
level of awareness, this figure represents an optimistic
picture.
"It probably gets a lot worse when you consider the SME community,"
says Paul Vlissidis, head of penetration testing at NCC
Group.
Although SMEs are not an obvious target of the "script kiddies",
they are certainly within the sights of a new wave of computer
criminals. These hackers are not interested in breaking into them
as a business but in hijacking computers to launch attacks against
big business, says Vlissidis. NCC Group has received calls from
customers who have been accused of attacking a site and had no idea
they were being used as a "firebase" by a criminal hacker.
Web servers were traditionally the easy route into a company for a
hacker. Installed out-of-the-box and without the necessary
"hardening" or configuration that makes them secure, they are a
gift to hackers, says Vlissidis. "Uppermost in an SME's mind is to
get a web server working, so it would be click, click and off you
go." More worrying is the growing number of people turning to NCC
Group to persuade suppliers to do the job properly.
Some companies will already be aware to their own cost of the
stealth of criminal hackers. Rogue diallers have robbed dial-up
customers in the UK of more than £5m a year by installing virus
software on a computer either through pop-up advertisements or
e-mail.
Although the threat of the outside intruder appears to be uppermost
in most SMEs' minds, the threat posed internally by staff, whether
through sloppy or malicious behaviour, goes largely
unrecognised.
Financial services companies have been among the first to tackle
the internal threat, prompted by the very high value of information
assets they deal with. For this reason, companies are looking to
use software and policies to secure, or "lock down", individual
devices, rather than rely on a centralised approach to do all the
policing.
"Because of the increase in bad behaviour among employees who are
running unsuitable programs on devices, it is becoming necessary to
secure each individual device," says Everitt.
A study of European laptop users, conducted by Dynamic Markets and
commissioned by internet filtering group Websense, confirms this
picture of internal lapses and attendant security risks.
The report found that 46% of company users allow people outside of
their work to use their laptop. A further 42% of laptop users
admitted visiting peer-to-peer sites and sites containing "adult
material" (this percentage was highest in the UK) and downloading
film, software and videos.
Despite the growing level of awareness of security vulnerabilities
across UK businesses, blind spots remain. These are predominantly
in the area of remote and home working, when staff dial into a
virtual private network from an unsecured link. As David Roberts,
chief executive of the Corporate IT Forum, points out, "People
working from home are not only running the risk of costing their
employer thousands of pounds by opening up spam e-mails, they are
also making themselves vulnerable to all sorts of security
risks."
Case study: cleaning up the e-mail
Gisela Graham is a designer and distributor of giftware who
works with manufacturers located in the Far East. Her company
relies heavily on e-mail communication and at the beginning of the
year calculated that one third of the e-mails it received were
either spam or infected with malicious code.
IT manager Graeme Moody had investigated outsourcing messaging
services a couple of years earlier and found it to be
"frighteningly expensive". He had installed anti-virus software on
the e-mail server, but still felt he was in the dark about the
level of contamination. Similarly he found it hard to persuade
employees not to open suspect e-mails.
Moody decided to spend £5,000 on a Sophos-based product from
Mirapoint distributors. "It acts as a front end and isolates
contamination from the e-mail server. It provides useful feedback
and it takes human curiosity out of the equation," he says.
Case study: securing remote access to
data
One businessperson clued up enough to secure remote access to
the company customer database is the partner in start-up mortgage
broking company Mortgage Zone.
Michael Bartholomeusz needed remote access to his customer
database and administration systems. "People want to talk out of
hours and it was a choice of having to come into the office or
finding a technology solution," he says.
As a former risk director of a bank, Bartholomeusz knew enough
about IT to know that dialling straight into his systems from an
ADSL link would put his business data in jeopardy. "I was broadly
aware of the danger but not in detail or up-to-date," he says.
He sought the advice of his Chamber of Commerce and discovered
he needed a fixed IP address with related hardware and software
firewalls to secure access. With its start-up status, Mortgage
Zone qualified for a grant for the installation, which came in at
under £1,000.