SMEs often lack effective IT security

Smaller businesses are complacent about security, relying on misguided statistics and a 'shoal' mentality, but this is something the vendor can help them readdress. Billy MacInnes reports

Many businesses see advantages in being small; they are quicker to react, less bureaucratic and have flatter structures. And quite a few believe that being small is a benefit when it comes to IT security.

Smaller businesses present less of a target for ne’er-do-wells and they are less likely to get noticed in the first place. There has been comfort in the belief that many small businesses are not worth the effort for cyber criminals or that there are so many of them that the odds of being singled out for attack are very small.

Symantec’s latest Security Threat Report may help disabuse many of this notion. The report revealed a threefold increase in targeted attacks on small and medium-sized enterprises (SMEs) over 2011. Symantec found that 31% of all targeted attacks were directed at companies with 250 employees or fewer.

Why has there been such a dramatic increase in attacks on SMEs?

According to Symantec, one of the main reasons is that small businesses “often lack adequate security practices and infrastructure”.

It also suggests small business websites are being compromised by cyber criminals and used to “launch massive cyber attacks” and ‘watering hole’ attacks (where an attacker exploits the weak security of one business to get around the stronger security of another business).

False sense of security

Both of the reasons advanced by Symantec for an increase in attacks on SMEs are the result of the lack of adequate security practices and infrastructure in their operations. Ironically, this has probably been caused by the belief they were less likely to be attacked than their larger counterparts.

Symantec also suggests SMEs are likely to become the target of other techniques which, at present, are mainly being used to attack large enterprises and government organisations, such as zero-day exploits.

Many people operating within the IT security environment are convinced SMEs need to snap out of their complacency.

“Many believe criminals have better things to do than focus their attention on small firms when there are wealthy enterprises and countries to target,” says Matthew Robinson, B2B UK sales and marketing director at Kaspersky Labs.

“As large enterprises build stronger digital security fortresses around their data, internal and external monitoring becomes more vigilant and punishments become more severe. Criminals and others with malicious intent are turning their attention towards the smaller firms.”

Ian Kilpatrick, chairman at Wick Hill Group, makes a similar point. “SMEs are identical in operation to enterprises, just without the skilled in-house security staff,” he says. “Therefore, they are typically more vulnerable than their larger cousins, just potentially worth less, individually, to an attacker.”

The good news, as Kilpatrick sees it, is that the attack profile is behind the curve compared with enterprises. The bad news is that “since attack tools are readily available to buy (with online support services), or rent, the cost and skill barriers for criminals are pretty minimal”

It does not help that many SMEs do not have a threat announcement awareness or patching and update regime,“so they are at risk of every new vulnerability, and in many cases old and very old vulnerabilities,” says Kilpatrick.

The “shoal” mentality among SMEs – “who would want to attack me when there are so many others?” – can be a problem too.

Nikki Stenson, SME security expert at McAfee UK, says many SMEs “lack the time, budget and expertise to coordinate an effective security solution”.

They also have a simplified notion of their network security risk which believes running up-to-date antivirus software means the business is secure. “Far from it,” warns Stenson.

Giving up the day job

A lack of expertise or resources to manage security is serious for SMEs. “If a problem hits, it usually means someone has to put their day job on hold while they sort it out,” says Neil Gardner, development and operations manager at ALVEA Services. “Aside from the implications of the attack, this can be disruptive. Traditional on-premise security technologies are effective but like any point solution, need managing. When resources are scarce, this may not be the best option for some SMEs.”

Chris Walsh, channel sales manager for Fortinet, says that while large enterprises will have a team of people looking after their IT security, SMEs might have one or two people that “at times can be responsible not only for the security practice but the entire infrastructure, so while I am sure security is at the forefront of their minds it is by no means the only ‘top priority’ they have”.

Robinson at Kaspersky agrees that smaller firms are more vulnerable because they lack the IT expertise and resources to understand and address security issues.

He cites research conducted on behalf of Kaspersky which found 56% of SMEs have been affected by viruses, worms, Trojans, spyware and other malicious programmes: 60% had experienced spam; 44% had been hit by phishing attacks; 24% were affected by denial of service (DoS) attacks; and 28% were victims of unwanted network intrusion.

The SME as a stepping stone

Many IT security industry luminaries say that SMEs are often attacked because of their links to, or work with, higher value target organisations in their supply chain.

James Walker, senior marketing architect at Trend Micro, warns that cyber criminals are likely to target them because they “will always look for the weakest link in the chain”.

Terry Greer-King, UK managing director at Check Point, agrees that an SME “may be targeted as a stepping stone from which to attack another company” citing the Global Payments card processor breach in 2012, which affected hundreds of thousands of Visa and Mastercard holders.

“The smaller company was holding valuable assets that would have been harder to obtain from the larger company,” Greer-King says.

What is clear, given the state of most SMEs’ IT security, is that there is a very strong role (and opportunity) for channel partners to help them improve their defences.

“The opportunities for resellers are significant,” Kilpatrick says. “The challenge is to get attention and budget. All businesses run on risk and risk assessment, so the first thing to do is to discuss risk areas and priorities.”

He highlights unified threat management (UTM) appliances as an area of low-cost, high-gain for SMEs. They can replace older firewall appliances with devices that cover multiple threats with a single management console and provide constantly updated perimeter protection against new vulnerabilities that have not been patched. Two-factor authentication is another good area.

Tom Turner, vice-president for business partners at IBM Security Systems, says that SMEs are being bombarded with a dizzying array of security products and technologies and they need to ask themselves which ones make sense and how they can be used to the best in their operations. More so than in any other technology segment, security channel partners are the key to helping SMEs arrive at the right decision. “Not only are they current on the latest threats and not just the ones highlighted in the media, but they are also aware of the best practices that can resolve them,” Turner says.

Once the best practice approach has been decided, the channel partner’s expertise is necessary to represent which solutions exist in the market to align with those practices, he adds. “Once a technology is decided, the channel partner can serve its most important role: integration. The reason you integrate security technologies is to make the sum of the parts more accurate and their combined operation more efficient and cost effective. Given the operational constraints of SMEs, this is the ultimate value of the solutions they select and the partner they choose to work with.”

For Turner, the right SME security partner “provides the dual role of industry solution expert and technology integrator to get SMEs to the more secure operating model they need”.

Greer-King at Check Point agrees that VARs can help SMEs identify areas of risk and how to mitigate them.

“It’s a good opportunity to introduce cloud security services too,” Greer-Kings adds. “As security threats get more sophisticated and ever more frequent, even the best equipped security teams have to stay ahead of the curve. Cloud security offerings take a lot of the burden away, especially when they are delivered by established security vendors.”

Resellers can be the ‘experts’

Walker at Trend Micro believes there is an opportunity for channel partners to help SMEs by offering security as a managed service. “Channel players become the experts for an SME, managing and analysing detection results and keeping customers free from targeted attacks and advanced malware.”

And he makes the point that if SMEs work with large enterprises they are often “contractually required to be as secure as the large enterprise. Without the channel, this is not possible for an SME”.

Gardner at ALVEA Services agrees that managed security services are “a great alternative” that provide expert knowledge, additional resource and flexible payment methods. They present a great opportunity for resellers “to stay close to customers by offering consultancy to ensure the provision of the right level of protection for the business”.

But he cautions that resellers should offer a choice of on-premise and managed services to meet SMEs’ “wildly varying needs. What brings them together is wanting peace of mind when it comes to security. Ensuring that SMEs are able to select the best and most robust solution for their business helps to achieve this”.

The consensus appears to be that channel partners are very well-placed to help SMEs get to grips with their IT security issues.

“Trusted channel partners need to take the lead in advising SMEs on the full scope of threats attacking businesses today,” says Stenson at McAfee. “The channel is best-placed to educate SMEs about multi-layered security solutions specifically designed for their size of organisation – such as cloud-based offerings – that can be tailored to specific needs and environments. Providing advice, support and SaaS solutions will not only secure smaller businesses from malicious threats, but also secure ongoing consultancy and management fees for the channel.”

But Jon Towers, director at Grant McGregor, warns that while everyone acknowledges the role channel partners can play, there’s a little bit more to it than that.

“The greatest help channel resellers and vendors can offer SMEs is to be honest and appropriate with their security advice,” he says.

They need to start by ensuring the basics are covered before working out which areas are most vulnerable and present the greatest risk to the SME before seeking the appropriate means or solutions to cover them. By balancing risks and solutions, channel partners can ensure an SME’s money is spent where it is needed most. “IT security has to be prioritised more tightly for SMEs,” he argues, “and the scrutiny focused on the weaker but also most dangerous areas.”

Robinson at Kaspersky says resellers should also cater to SME customers looking to take advantage of areas like BYOD and the cloud. It’s no longer an issue of resellers “selling some universal hardware or software kit that will meet ‘most’ requirements. It’s about getting under the skin of each individual customer and offering expert knowledge on one or more of the new technologies they are looking to introduce, whether that is mobile device management, the cloud or virtual IT environments, or any combination of these”.

Wick Hill Group’s Kilpatrick agrees it is important to be aware of the tendency of SMEs to “increment their own risk profile by making business changes without considering the security implications in advance”. He cites wireless and mobility as two examples “where security has not been the upfront consideration”.

There are many security issues that SMEs need to be aware of and channel partners can play a strong role in helping to address them. But SMEs have to be prepared to let them. As Kilpatrick puts it, very bluntly: “The biggest single issue is [SMEs] giving a damn.”

Read more on Security Network Services