Insecurities about security

In our final analysis of exclusive research into how small and medium-sized enterprises view and use technology Helen Beckett...

New Asset  
In our final analysis of exclusive research into how small and medium-sized enterprises view and use technology Helen Beckett looks at how they respond to threats, both real and imagined, from viruses and hackers

The internet has extended the reach of small businesses but it has also has made them vulnerable. In Computer Weekly and BT's SME Audit (a survey of companies with fewer than 500 employees about their attitudes to IT) their fears about the malignant forces roaming the internet - both real and imagined - showed up as the biggest concern shared by small and medium-sized organisations.

With 60% registering "serious concern" about the danger of hackers and viruses and a further 32% expressing "moderate concern", confidence in the community is clearly low. The Federation of Small Business confirms that scares about internet security play on the fears of naturally conservative SMEs and, in particular, that they are worried about transacting online.

"They hanker after the certainties of a world where 'my word is my bond'," says Stephen Alambritus, head of parliamentary affairs for the federation. "They want the firm handshake, the cheque in the post."

August was the busiest month on record for malicious activity: 800 new viruses were detected and the big four - Mimail, Blaster, Nachi and Sobig - all seriously compromised security of big and small firms alike.

Distinguishing between real concerns and fantasy is the first important step that SMEs must take to protect their businesses, says independent security consultant, Mike Barwise. "A lot of people refuse to do internet transactions, convinced that their credit card details will be captured in transit. The reality is that it is far more likely that the server hosting these details will be breached and that thousands of IDs can be nicked in one go."

Recent research conducted by Barwise on behalf of a local authority demonstrated that the threat from hackers was negligible but that it did need to shore up its defences against virus attacks.

Unless a company is working in the defence arena or on high profile, sensitive work, it is unlikely to be targeted by hackers, whereas viruses are far less discriminating, Barwise says. This is proved in the results of the audit, where a relatively low 32% of respondents say they are seriously concerned about the threat of data theft from their systems.

There is also confusion among SMEs about whether using open source products will increase their vulnerability to security breaches. In its report, Cyberime Security, the Computer and Communications Industry Association warned that a software monoculture is more susceptible to attacks from computer viruses, Trojans and digital pathogens.

It is well documented that security breaches to Microsoft products are the most prolific but as the most used technology in the world Microsoft Dos' exposure to attack is greater than any other product set. Despite the ubiquity of the OS, "Microsoft is immature on the server side of operation," says Barwise. "It did not start here until the mid-1990s, whereas Unix suppliers have been doing server since the year dot."

"Microsoft is not awful at writing code but a couple of its design philosophies are flawed," says Barwise. "There should be a brick wall between the desktop and the internet, but Microsoft has blurred this, for convenience."

Eddie Bleasdale, director of Netproject, an independent open source consultancy company, says there is a fundamental flaw in the design of Microsoft's operating system that compromises security. "It does not differentiate between executable code and data so when people get an attachment to an e-mail it can be a program over which they have no control. In Linux-land, an e-mail attachment is treated as data and not an executable program."

Computer security principles are, according to Barwise, as simple and straight forward as protecting your home. "People think of IT in techno-centric terms and make the mistake of protecting against specific dangers as they arise," he says.

Most people know it makes sense to invest in a solid door and a burglar alarm up front, rather than waiting for the thieves to arrive, he says.

Implementing a firewall is important because it can validate where an application is coming from and where it is going. A firewall that further validates the content of an application is a more rigorous measure but can easily double the cost of deployment, says Barwise. However, the ability to specify what constitutes a legitimate application may be deemed necessary by companies that depend solely on the web.

Good housekeeping is as important as implementing any piece of hardware or software. Businesses need to formulate and implement rigorous processes. The Sobig worm depended upon gullible punters opening an untrustworthy e-mail attachment, in order for the virus to propagate.

"That attachment was an illiterate jumble of words on an arbitrary subject. All those signs should have flagged up danger to anyone half-alert," says Barwise.

A simple precaution is to identify the file types that your business needs to receive and to block anything else from passing the firewall. E-mail filtering technologies are not new and can do this job. It is vital to stay on top of all known viruses and to download and install all new patches. This means checking security alerts on a daily basis.

"It never ceases to amaze me how many companies run operating systems that are not patched and stay vulnerable for months," says Stuart King, a senior security consultant for a blue-chip company.

Graham Cluley, senior technology consultant with Sophos, says SMEs are particularly vulnerable because they are unlikely to have a dedicated IT department, let alone a security specialist. Signing up to a third party service that takes care of patches can remove the hassle of constantly monitoring the web for new viruses.

Ultimately, ensuring the security of a company's data assets is not just a problem for IT, says King. "Managing security is basically about managing risk. It is down to the chief executive to decide what is important to the business and what needs to be protected. Similarly, there is no one thing that solves risk - it is more a case that lots of things working together can be very effective."

"We need national, standard guidelines written in plain English," to enable SMEs to apply "necessary force" to protect their business assets, says Barwise.

It is possible for the vigilant SME to be secure. Pay attention to housekeeping and keep a watchful eye rather than spending on deluxe technology. It will cost less but requires constant vigilance.

Click here for more SME features >>

Click here for Part One of the SME supplement >>

Read more on IT innovation, research and development