Security is SMEs' biggest IT worry, according to the Computer Weekly/BT SME ICT Audit. The threat is real, but there are technological and management defences, as Helen Beckett reports
The SME nation is under siege to malicious hackers and a spate of computer viruses and trojans. This is a key finding of the latest Computer Weekly/BT SME ICT Audit, which shows that security remains the single biggest concern on the owners' radar.
Even more alarmingly, this perception of threat is found to be entirely justified: in the month before the research was conducted, 27% of SMEs surveyed had been attacked by viruses or hackers. This figure fell to 24% and 18% when the question was asked about the previous six months and one year ago respectively, so the picture is one of spiralling security breaches.
Not surprisingly, those companies without an IT department are hit the hardest.
SMEs, typically constrained by cash-flow and a lack of specialist IT knowledge, are in a tight corner in this climate of threat. "Imagine where the SME sits on this. They want to get on and use IT like a car, or any other tool. But each time they use it they think it might crash at any minute," says Peter Scargill, IT chairman of the Federation of Small Businesses (FSB).
Ben Booth, chairman of the Elite Group of the British Computer Society, has witnessed this at first hand. "Viruses are hitting smaller businesses more. They often have no infrastructure in place and are not properly prepared," he says.
Against this backdrop of escalating security threats, however, is a corresponding increase in the level of awareness, according to many experts who deal regularly with small and medium-sized companies. Businesses realise that their survival requires them to think and act.
Eric Thornes of consultancy Etanda, which specialises in internet security products for smaller companies, says that the amount of unwanted e-mail monitored by his company is four times greater than it was a year ago. But during that time it has also become cheaper and simpler to deal with the problem. "Everyone is dealing with the same problem and many people have experienced wasting a day through scraping a virus out of the bottom of a PC," says Thornes.
The first step is to get all employees to sign a policy agreement on e-mail and internet usage. After that it is a question of preventing dangerous material coming in from the outside world, whether that be e-mail virus, spam, or unsavoury content.
Equally important is detecting dodgy e-mails being sent out from within the company, which may expose an employer to legal liability, says Jamie Cowper, head of channel for EMEA at messaging security specialist Mirapoint. For example, financial services companies are not allowed to use the word "guarantee", so this can be detected and filtered out of e-mails.
Filtering and blocking boxes that sit online and dial up to the provider's control centre for virus updates and patches can be bought. For the company with between 50 and 100 employees and a generalist IT manager, this is a workable solution. "You can leave it and forget it. It only screams if you have a problem," says Cowper. Companies with no in-house knowledge or resources may decide it makes sense to outsource security instead.
Whichever method is selected, the onus to instigate protection within an SME remains firmly on the owner. "If they are not concerned then no one else is. The owner controls spending and has to protect IT. If they do not, it is money down the plughole," says Thornes. Worse still is the risk of business failure. Many companies which have a total system failure go out of business, according to the FSB.
Within the financial sector, compliance is a further driver for businesses to review their security capabilities, according to Emlyn Everitt, senior security consultant with Logicalis. "The Turnbull Report was a watershed which provided companies in the UK with guidelines about how to protect and report on controls of their financial assets," he says.
Companies which employ basic risk mitigation for SMEs by implementing firewalls, virus scanning and e-mail filtering have 80% of the ground covered. But intrusion detection is one aspect that gets overlooked, says Everitt.
This view is supported by the findings of NCC Group which, among its many activities on behalf of users provides ethical hacking, or penetration testing services. Almost half the systems NCC Group tests for customers can be broken into from the internet. And given that companies seeking advice have, by default, a greater level of awareness, this figure represents an optimistic picture.
"It probably gets a lot worse when you consider the SME community," says Paul Vlissidis, head of penetration testing at NCC Group.
Although SMEs are not an obvious target of the "script kiddies", they are certainly within the sights of a new wave of computer criminals. These hackers are not interested in breaking into them as a business but in hijacking computers to launch attacks against big business, says Vlissidis. NCC Group has received calls from customers who have been accused of attacking a site and had no idea they were being used as a "firebase" by a criminal hacker.
Web servers were traditionally the easy route into a company for a hacker. Installed out-of-the-box and without the necessary "hardening" or configuration that makes them secure, they are a gift to hackers, says Vlissidis. "Uppermost in an SME's mind is to get a web server working, so it would be click, click and off you go." More worrying is the growing number of people turning to NCC Group to persuade suppliers to do the job properly.
Some companies will already be aware to their own cost of the stealth of criminal hackers. Rogue diallers have robbed dial-up customers in the UK of more than £5m a year by installing virus software on a computer either through pop-up advertisements or e-mail.
Although the threat of the outside intruder appears to be uppermost in most SMEs' minds, the threat posed internally by staff, whether through sloppy or malicious behaviour, goes largely unrecognised.
Financial services companies have been among the first to tackle the internal threat, prompted by the very high value of information assets they deal with. For this reason, companies are looking to use software and policies to secure, or "lock down", individual devices, rather than rely on a centralised approach to do all the policing.
"Because of the increase in bad behaviour among employees who are running unsuitable programs on devices, it is becoming necessary to secure each individual device," says Everitt.
A study of European laptop users, conducted by Dynamic Markets and commissioned by internet filtering group Websense, confirms this picture of internal lapses and attendant security risks.
The report found that 46% of company users allow people outside of their work to use their laptop. A further 42% of laptop users admitted visiting peer-to-peer sites and sites containing "adult material" (this percentage was highest in the UK) and downloading film, software and videos.
Despite the growing level of awareness of security vulnerabilities across UK businesses, blind spots remain. These are predominantly in the area of remote and home working, when staff dial into a virtual private network from an unsecured link. As David Roberts, chief executive of the Corporate IT Forum, points out, "People working from home are not only running the risk of costing their employer thousands of pounds by opening up spam e-mails, they are also making themselves vulnerable to all sorts of security risks."
Case study: cleaning up the e-mail
Gisela Graham is a designer and distributor of giftware who works with manufacturers located in the Far East. Her company relies heavily on e-mail communication and at the beginning of the year calculated that one third of the e-mails it received were either spam or infected with malicious code.
IT manager Graeme Moody had investigated outsourcing messaging services a couple of years earlier and found it to be "frighteningly expensive". He had installed anti-virus software on the e-mail server, but still felt he was in the dark about the level of contamination. Similarly he found it hard to persuade employees not to open suspect e-mails.
Moody decided to spend £5,000 on a Sophos-based product from Mirapoint distributors. "It acts as a front end and isolates contamination from the e-mail server. It provides useful feedback and it takes human curiosity out of the equation," he says.
Case study: securing remote access to data
One businessperson clued up enough to secure remote access to the company customer database is the partner in start-up mortgage broking company Mortgage Zone.
Michael Bartholomeusz needed remote access to his customer database and administration systems. "People want to talk out of hours and it was a choice of having to come into the office or finding a technology solution," he says.
As a former risk director of a bank, Bartholomeusz knew enough about IT to know that dialling straight into his systems from an ADSL link would put his business data in jeopardy. "I was broadly aware of the danger but not in detail or up-to-date," he says.
He sought the advice of his Chamber of Commerce and discovered he needed a fixed IP address with related hardware and software firewalls to secure access. With its start-up status, Mortgage Zone qualified for a grant for the installation, which came in at under £1,000.