These companies often poorly manage and spend too little on security, expert says
Danny Bradbury
Sun
Only one thing is more frightening than opening your e-mail client and finding all of your important e-mails and contacts have been erased by a hacker: opening up your e-mail client, finding all your e-mails still there, but being unsure whether they have been read by an intruder.
Small businesses are prone to security breaches because of poorly managed security, says Stu Sjouwerman, chief operating officer of Sunbelt Software, which builds anti-spam and anti-spyware software.
“Large corporations spend a lot of time securing their networks and it becomes harder for hackers to get into large organizations,” he says. “So instead of using a bigger hammer and taking more time and resources to break into large companies, they just go for smaller targets.”
According to analysts and vendors alike, small and medium enterprises (SMEs) have a history of under-spending on IT security. “Often, a single person is responsible for a number of IT functions, where security is only one function of the greater IT whole,” warns Craig Andrews, a director at Symantec Canada. More often than not, small businesses are fully aware of the problem. It is a lack of money, rather than a lack of awareness, that is the key issue, argues James Quinn, senior research analyst with Info-Tech Research.
Traditionally, businesses in general spend between two and 10 per cent of their total IT budget on security, says Quinn. “Given the cost of IT security solutions, small businesses almost need to spend toward that upper limit to be able to implement effective security regardless of the business sector in which they find themselves,” he warns.
“If the security capabilities of Microsoft’s operating systems and applications was sufficient, they wouldn’t have released Live OneCare, their own bundled anti-malware solution,” Quinn says. OneCare is a security system from Microsoft that monitors a PC for viruses and Trojan horses, for example. It connects to a back-end computer to ensure its information about virus hazards is up to date.
Like other anti-virus systems, OneCare relies heavily on information stored in online computers to work, and customers must pay a regular subscription fee to keep the system functioning. Companies increasingly are moving security services online using a concept called managed services. By installing minimal or no software on a small business’s computers — but instead running everything on computers operated by somebody else — it reduces the level of in-house expertise needed.
Another advantage is that, at least in the short to mid-term, managed services come cheaper than businesses buying and installing their own software. Often, these services will be paid for on a subscription basis, which can help to regulate the cost of security. Small businesses tend to like regular, predictable costs rather than occasional ad hoc expenditures that are more difficult to organize financially.
However, not everyone believes that managed services are a silver bullet. “The services may be offered more cheaply than were the SME to implement the capability themselves, but is it a service that is absolutely essential?” Quinn asks.
“Before rushing into sweeping managed service contracts the [small business owner] really has to ask if the service is needed.” Many of the very basic services, such as firewall and anti-virus protection, may be best managed in-house because the company is simply installing software and making a few basic configurations.
Even when the company has invested in security programs, there may still be one piece of the puzzle missing. Small businesses must bring their people up to speed, so they build security into everything they do, Sunbelt’s Sjouwerman says.
“There is definitely a task in educating the users in what and what not to do, and user education is at least 50 per cent of the work,” he says. “They must learn not to browse suspect sites at work, download anything from the Web, or open any attachment that they are not expecting.”
Often, the best way to get the message across is in regular team meetings. “You just have to hammer it in. Over, and over again.”
© The Vancouver Sun 2006
