Partnering with other companies in the supply chain can
help SMBs achieve a higher level of security. Helen
Beckett reports
Having a bigger partner in the supply chain can be a security
lifeline for the small company. As large enterprises are getting
better at building robust defences for their computer systems, so
the smaller company starts to look like easier prey for malware and
hacker attacks.
This is a major reason why more SMBs are being targeted,
according to Nick Coleman, IBM's head of security services.
"Smaller companies have things of intrinsic value too, like
customer databases and financial information systems, plus many are
now plugged into a larger supply chain.
"When a whole supply chain is working together, large and small,
then everyone becomes more aware of a risk-management
approach."
Being part of a supply chain can also be a real advantage
because there will be a blueprint of policies to implement and
technologies to adopt, he said. "Generally SMEs welcome having a
bigger partner give them a nudge, because it means they get access
to free advice.
"It may relate immediately to the interface to the customer, but
they can apply it to the rest of the infrastructure."
Once the conversation has started, it is a fairly easy task for
a small company to put its ideas on the table and share its
thinking with a partner.
The objective is to agree an appropriate level of security to be
implemented relative to the risk. "It's a starting point for
analysing what data a company has to protect and what the risks
are," said Coleman. "Many smaller businesses I speak to have never
done any risk analysis."
One of the harder aspects of security for the SMB to cope with
is the rate at which threats and defensive strategies evolve. Few
small companies have dedicated IT staff, let alone anyone with
specialisation in security. It is all too easy for a company to buy
a product, install it and forget about it.
But staying on top of the rapidly-changing security scene,
including mutating viruses and the latest phase of security threat,
such as spyware, is vital. "It's not unlike driving a car," said
Coleman. "First there were seatbelts, then airbags, and then
traffic sensors came along."
Computer and network configurations are becoming more complex
for companies of all sizes and this also makes security more
complicated. "The more things you do and the more complex the
network gets, the more important it is to monitor the network. For
example, if you open up more ports, do they need to be open all the
time?"
On top of all this is the fact that "the time between
discovering vulnerability and someone exploiting it is shortening
year on year", Coleman said. This means that companies have to be
proactive about threats to their security. Reacting to the latest
bad news may be too late.
Any of these factors are a tough call for the small, non-IT
literate company to handle by itself. Put all the risks together
and it makes for a persuasive argument to bring in an outside party
to take care of defence.
Until recently, specialist providers focused on particular
aspects of security, such as anti-virus applications. However,
other fresh areas that are calling for attention, such as
countering spyware and implementing intrusion prevention, mean
there is a growing trend for all these areas of security to be
bundled into one managed service.
"Security is such an intrinsic part of any service that a sound
provider will bundle it into its services, which makes it more
affordable," said Coleman. "The useful thing about buying
firewalls, or any security service, as part of a managed service is
that it will not only be kept fully operational, but will also be
monitored."
The trouble with monitoring is that it involves log analysis,
which is boring and easily overlooked. If done correctly, log
analysis calls for specialised tools, and if it is purchased as
part of a managed service, the provider will have the economy of
scale to do it.
Constant checking is vital because some sorts of application,
such as gamesware, can turn off or disrupt installed security
mechanisms, said Coleman.
"If you have a firewall installed, it's pretty essential to know
if it's been turned off for any reason."
See also feature:
SMB focus: DIY security is not enough