SMB focus: Safety in numbers

Partnering with other companies in the supply chain can help SMBs achieve a higher level of security. Helen Beckett reports

Partnering with other companies in the supply chain can help SMBs achieve a higher level of security. Helen Beckett reports

Having a bigger partner in the supply chain can be a security lifeline for the small company. As large enterprises are getting better at building robust defences for their computer systems, so the smaller company starts to look like easier prey for malware and hacker attacks.

This is a major reason why more SMBs are being targeted, according to Nick Coleman, IBM's head of security services. "Smaller companies have things of intrinsic value too, like customer databases and financial information systems, plus many are now plugged into a larger supply chain.

"When a whole supply chain is working together, large and small, then everyone becomes more aware of a risk-management approach."

Being part of a supply chain can also be a real advantage because there will be a blueprint of policies to implement and technologies to adopt, he said. "Generally SMEs welcome having a bigger partner give them a nudge, because it means they get access to free advice.

"It may relate immediately to the interface to the customer, but they can apply it to the rest of the infrastructure."

Once the conversation has started, it is a fairly easy task for a small company to put its ideas on the table and share its thinking with a partner.

The objective is to agree an appropriate level of security to be implemented relative to the risk. "It's a starting point for analysing what data a company has to protect and what the risks are," said Coleman. "Many smaller businesses I speak to have never done any risk analysis."

One of the harder aspects of security for the SMB to cope with is the rate at which threats and defensive strategies evolve. Few small companies have dedicated IT staff, let alone anyone with specialisation in security. It is all too easy for a company to buy a product, install it and forget about it.

But staying on top of the rapidly-changing security scene, including mutating viruses and the latest phase of security threat, such as spyware, is vital. "It's not unlike driving a car," said Coleman. "First there were seatbelts, then airbags, and then traffic sensors came along."

Computer and network configurations are becoming more complex for companies of all sizes and this also makes security more complicated. "The more things you do and the more complex the network gets, the more important it is to monitor the network. For example, if you open up more ports, do they need to be open all the time?"

On top of all this is the fact that "the time between discovering vulnerability and someone exploiting it is shortening year on year", Coleman said. This means that companies have to be proactive about threats to their security. Reacting to the latest bad news may be too late.

Any of these factors are a tough call for the small, non-IT literate company to handle by itself. Put all the risks together and it makes for a persuasive argument to bring in an outside party to take care of defence.

Until recently, specialist providers focused on particular aspects of security, such as anti-virus applications. However, other fresh areas that are calling for attention, such as countering spyware and implementing intrusion prevention, mean there is a growing trend for all these areas of security to be bundled into one managed service.

"Security is such an intrinsic part of any service that a sound provider will bundle it into its services, which makes it more affordable," said Coleman. "The useful thing about buying firewalls, or any security service, as part of a managed service is that it will not only be kept fully operational, but will also be monitored."

The trouble with monitoring is that it involves log analysis, which is boring and easily overlooked. If done correctly, log analysis  calls for specialised tools, and if it is purchased as part of a managed service, the provider will have the economy of scale to do it.

Constant checking is vital because some sorts of application, such as gamesware, can turn off or disrupt installed security mechanisms, said Coleman.

"If you have a firewall installed, it's pretty essential to know if it's been turned off for any reason."

See also feature: SMB focus: DIY security is not enough

Read more on IT for small and medium-sized enterprises (SME)