Smaller businesses are as vulnerable as their larger counterparts to information security breaches. Yet smaller firms lack the expertise and resources to deal effectively with infosecurity threats.
Like all items of received wisdom, this statement contains a grain of truth. But it also masks a more complicated, real-world situation.
Just as there are enterprises that have failed to take adequate control of data security, there are SMEs with a highly developed and effective understanding of the problem. Often the difference lies in their approaches, rather than their objectives.
There is no doubt that smaller businesses are at risk from information security breaches. A survey carried out earlier this year by Pricewaterhouse Coopers (PwC), the consultancy firm, found that 74% of smaller companies had suffered an information security attack. When PwC last surveyed the sector, in 2008, only 35% of firms said they had suffered a breach.
But whilst large-scale threat monitoring research shows risks continue to increase, they have not doubled in two years.
Data from IBM’s X-Force mid-year trend and risk report shows that although disclosed information security vulnerabilities reached their highest-ever level in 2010 – around 4400, against just over 3000 in 2009 – there was actually a fall in reported vulnerabilities between 2008 and 2009. Other research into information security threats suggests a similar pattern: the threat level continues to grow, but at a fairly steady pace.
What almost all industry observers agree on, however, is that SMEs in particular are much more aware of information security threats, and are much more likely to monitor threats and report on them.
There is evidence, too, that SMEs are becoming more aware of the risks posed by information or data loss, as well as more conventional, malware threats. PwC, for example, found that three-quarters of smaller companies now have a policy for assessing security risks, against just 48% in 2008.
Rising awareness
This growing awareness is one of the most significant changes in SME security over the last few years, according to Steve Durbin, vice president at the Information Security Forum (ISF).
“SMEs are becoming more aware of their responsibilities”, he says. “Generally speaking, levels of awareness have risen of late, driven by high-profile security breaches.”
The way that awareness translates into specific actions to safeguard information security varies enormously, however.
At one level, smaller businesses are now quite well protected. Operating systems, especially Microsoft Windows, which is the mainstay of most smaller firms, have been “hardened” against many of the most common security threats, especially computer viruses and intrusions from the outside. At the micro to small end of the business spectrum, there are also several highly competent – and free – options to defend against malware.
| "Smaller companies are that much more likely to go out of business, if they suffer a breach, than larger firms" |
| Ivan O’Brien, Ernst & Young |
“With Windows, you can use the Windows Firewall and Defender, and for many companies that might be adequate”, says Peter Wood, a committee member at ISACA, the Information Systems Audit and Control Association, and CEO of security vendor First Base Technologies. “But smaller businesses are often programmed to buy a silver bullet.”
Some IT vendors have specific security products targeted at smaller companies. In addition, there is a trend towards SME-friendly security suites, and also for hardware appliances and remotely managed services.
In the case of appliances, the vendor, or more likely, their reseller or partner, can manage the security system remotely, applying updates and upgrades, as well as setting policies, as they are needed. For remote services – security as a service – businesses route their internet traffic through third-party servers that provide a connection free of viruses and other malware.
The difficulty, Wood suggests, is for companies to know which of these services they need, and which providers offer both reliability and value. “SMEs often have little idea of where to focus their efforts on security, and there is a tendency to put trust in providers that is not always founded”, he says.
This means that, in practice, companies need to retain at least a basic level of security expertise, or buy it in. They also need to ensure an understanding of information security issues across its employee base.
“The key is multi-tier protection, which we or any vendor can provide”, says Ross Walker, Symantec’s UK director for small and mid-sized business. “But you need to educate people in the basic principles. Companies insure their business and their property, but not their data.”
Dealing with data loss
Data loss – and how to prevent it – is moving quickly up the agenda for SMEs. Whilst it might have been true two or three years ago that most smaller organisations had little interest in data loss prevention, that is no longer the case.
Companies that supply larger businesses, or those working in regulated industries such as financial services and healthcare, are increasingly being asked to comply with strict data loss prevention policies by their clients. They are also being subjected to more checks and controls, including full audits.
Business managers are also becoming more aware of the value of their own data, especially intellectual property and material, such as customer databases. “In recent times, larger companies have strengthened their security, and so we are seeing a shift by attackers to focus on smaller businesses”, says Ivan O’Brien, a director in Ernst & Young’s IT advisory team. “Smaller companies are that much more likely to go out of business, if they suffer a breach, than larger firms.”
| "Generally speaking, levels of [SME] awareness have risen of late, driven by high-profile security breaches" |
| Steve Durbin, ISF |
Fortunately for SMEs, data loss prevention should be more about policies than (expensive) products. Free or low-cost tools for encrypting removable drives or USB sticks are now widely available, but policies that cover who should access information, where, and on what type of device can be as effective in reducing losses. “The simple way to look at it is to understand where the information resides”, says O’Brien. “Then it is a question of setting policies, and that is easy to tackle.”
Some companies have created simple information security policies for inclusion in staff handbooks or, more often, on intranets. For companies that need to comply with external data protection rules, the use of an external consultant to draft such policies, even for a few days, can be cost effective and help assure customers that the issue is being taken seriously.
| "SMEs often have little idea of where to focus their efforts on security, and there is a tendency to put trust in providers that is not always founded" |
| Peter Wood, First Base Technologies |
For firms handling more sensitive data, whether it’s their own IP or data about customers, adopting a standard such as ISO 27001 can bring dividends. At ISACA, Woods describes 27001 as a useful “holistic standard” that a smaller firm could work through for under £10 000 in consulting fees, but which covers the gamut of security issues from data loss to who has physical access to company premises. He cautions, however, that such systems will only work if they have the full support of the company’s management.
Treating information as an asset
In some smaller companies, moving to an environment where security is part of day-to-day thinking will mean a culture change. For IT and infosecurity professionals, it means moving from viewing security as a perimeter that needs to be defended, to thinking about information as an asset that needs to be protected.
“Large and small companies need to protect their assets. They need to maintain the integrity of personal data and of their intellectual capital”, says Nick Coleman, head of security services for IBM UK. “Where the security measures will differ, is in how they are implemented and deployed… companies need to look at what they want to do, and understand their risk appetite.”
Understanding risk need not be a bureaucratic or complex process for smaller companies, but it does need to be thought through. By looking at information as an asset, a business can start to form an understanding of the impact of losing that asset – either on their own direct operations or on their customers and their reputation – and then allocate resources to protect it.
“You should look at the areas you can afford to be without, and at those that need the most attention”, says Durbin at the ISF. “Nobody has unlimited amounts of cash for security. One issue is certainly that SMEs don’t have the levels of staff or resources as larger companies, but as a result they are often that much more savvy about where to put their resources. Do what is critically important first.”
“There are differences in the levels of threats they are guarding against and in the assets they are protecting, but I would not say smaller companies are worse at information security”, says Nick Seaver, a partner in Deloitte’s Information & Technology Risk practice. “I have been fairly surprised at how smaller firms ‘get’ security.”
| "Both large and small companies need to protect their assets... Where the security measures will differ, is in how they are implemented and deployed" |
It is also the case, Seaver adds, that some of the more complicated systems for intrusion detection, or identity and access management, simply will not be relevant to smaller companies. There is little point to installing comprehensive IDS, if nobody has time to view the logs, or IAM if everyone knows who is joining and leaving the company.
For information security professionals, this means it is vital to take the time to understand an SME’s real information security requirements, in light of the assets they are protecting and their business processes. In some cases, outsourcing security processes will help smaller firms stretch their budgets, and expertise, further.
SMEs do, of course, face risks. Sophisticated social engineering attacks can be devastating to businesses that rely on a small number of key staff, as can attacks on websites, which can damage reputations. Experts such as Coleman and O’Brien warn that as businesses move to the cloud for IT services, they will need to address a new set of security requirements.
Perhaps because of the recent publicity around security breaches affecting large businesses and government departments, or perhaps because of the educational efforts of the infosecurity community over the last couple of years, SMEs are certainly not the security black hole some observers think they are.