Feature: SMBs ignore IT security at their peril

Wednesday 13 March 2013

The internet has been a huge game-changer for small and medium-sized businesses (SMBs) in many ways. The digital revolution means such companies are able to compete on a more level playing-field with larger rivals, and target consumers across a broad geographic area. SMBs can source previously unaffordable technology solutions in the cloud, advertise cheaply using email and social media, and target new markets through e-commerce channels.

But the use of the internet also presents risks for SMBs - particularly where IT security is concerned. Historically, small companies have not always been the best at safeguarding their systems from external attack - whether through a lack of knowledge, complacency or plain neglect. As more and more functions move online, and SMBs seek to fully harness the power of the web, it is becoming ever-more crucial to put the necessary safeguards in place.

Fraudsters targeting SMBs

The fact that more SMBs are operating online is not lost on the criminal underworld - and nor is the fact that many firms are leaving their systems and data badly exposed. In an anonymous interview with the BBC last year, one hacker described small businesses as "fair game", noting that where they have something of value to offer, fraudsters are always likely to target them.

Ross Walker, director of small business at Symantec, echoed this sentiment, noting that hackers are going after "low hanging fruits" - companies which are less security-aware and do not have the proper safeguards in place. "They are increasingly targeting smaller, softer, less reactive targets since these provide a lower-risk alternative to financial institutions," he noted.

Many SMBs have valuable data

Professor Alan Woodward, from the University of Surrey's Department of Computing, suggested that an air of complacency may be a problem for many SMBs. "They may not think they have any data worth stealing but even the smallest company can be custodian to information that represents hard cash to criminal gangs," he told the BBC. Valuable data includes credit card details, customers' names and addresses and intellectual property, he noted.

"There is a tendency to assume this is an issue only for the larger enterprises; household names that we think of as the powerhouse of our economy," Professor Woodward stated. However, he told the news provider that this is "a dangerous mistake to make". "There is mounting evidence that SMBs could be our Achilles heel when it comes to cyber-security," the expert warned. "And, it is these businesses which are the foundations upon which our economy rests - destabilise them and everything else comes crashing down."

Failure to take precautions

According to Professor Woodward, as many as three in five SMBs have been subjected to a malware attack in the past 12 months. And in many cases, not even the basic security defences were in place - such as firewalls and anti-virus software. This means systems were left vulnerable to malicious software which can be used to steal confidential information - and potentially money as well.

The expert said it is understandable that security may not be an SMB leader's main priority, given the many and varied tasks they face on a day-to-day basis. Professor Woodward noted that the vast majority of company bosses are entrepreneurs, not tech specialists.

"Money is always tight and there is a natural dynamic tension between need and cost," he noted. "You can see which way the tension is tending when you read in the same surveys that nearly 20 per cent of small businesses only concern themselves with cyber-security following an intrusion. More worrying still, one report indicates that ten per cent of small businesses would have no way of knowing if they had been successfully attacked."

Taking the necessary action

Yet many SMBs will have been using the internet for over a decade, so there is little excuse for not having at least some understanding of the key IT security issues. Viruses, malware and hacker attacks are not a new issue - they have been around for a generation or more. Almost anyone with even rudimentary IT skills should have at least a basic conception of the risks and the need to put security defences in place. A failure to do so could almost be deemed negligent in many cases.

"Sadly the perception is that it will 'never happen to me' so smaller businesses put off what they see as a significant expense for what they see as a very remote eventuality," Professor Woodward warned. He said that in some cases, SMBs may even be tempted to use unlicensed security software or 'free' versions to avoid paying for IT security software - and this could be worse than being unprotected.
Such software may be the vehicle used to carry malware onto an SMB's systems. "You should use 'free' software only if you are sure it is from a reputable company, and that the company which built it provides it directly," Professor Woodward urged.

Where SMBs lack understanding of IT security risks, or how to counter these using technology and people processes, it may be advantageous to consult a specialist partner. Microsoft Security Essentials helps guard against viruses, spyware and other malicious software, providing real-time protection for home and small business PCs. Microsoft customers can download the solution for free. The solution - designed to be simple to install and easy to use - runs quietly and efficiently in the background, receiving automatic updates.

Posted by Alex Boardman