How To Sell: SMEs - Playing IT safe
Small companies are notoriously slow to implement security, but with vendors delivering a wide range of SME-focused products, the prospects for reaching them are improving. Ken Young reports in part three of our five-part guide.
There is little doubt that good IT security is high on the list of priorities for many businesses.
The latest security warnings about Microsoft software have reinforced the idea that no individual or business is safe from attack, even if users have spent good money on what they believed was secure software.
Hacking, viruses, spam, system crashes and data theft also give SMEs plenty to worry about.
The sheer scope of potential damage gives any small business serious cause for alarm. The last big virus, MyDoom, was the fastest-spreading email virus yet seen, with a reported one in every 12 emails carrying the MyDoom code.
Symantec's recent Internet Security Threat Report revealed that discoveries of new software vulnerabilities continue to soar; more than 1,400 new ones were found in the six months starting January 2003.
For the security industry, SMEs are therefore an enormous market opportunity. They are in need of help and keen to buy products and services that simplify what is becoming a growing problem.
But despite the potential of what has been hyped as the new gold rush, some resellers are wary of a sector that can be a complex sale for those with limited experience of antivirus software, firewalls, virtual private networks (VPNs), access control, authentication, patch management and encryption products.
Not surprisingly, the specialised security distributors -Allasso (now part of InTechnology), Unipalm, Wick Hill, equIP, e92plus and the more recently arrived International Software Partner Distribution - are the first port of call for many.
Gartner predicts that the main focus this year will be on security infrastructure and identity access management. In response to the damaging worm and virus outbreaks of 2003, scan-and-block technologies will become a standard of local area network management, it says.
But firewalls are expected to remain the primary means of detecting unusual network behaviour.
Gartner expects more interest in so-called 'deep packet' intrusion-prevention technologies that can block malicious traffic, rather than report it after the event. These are expected ultimately to replace firewalls and network intrusion detection systems.
The analyst also predicts more emphasis on internal issues, such as administration, authentication and authorisation of staff, customers, partners and supply chain participants.
Growing market for security appliances
Perhaps the fastest-growing area of the SME security market is the security appliance (sometimes called an 'integrated' device), typically a firewall, containing a wide range of security functions.
A recent report by researcher IDC concluded that SMEs see appliances as an easy way to meet security requirements without adding network complexity and administrative overheads.
IDC reports Europe leading security appliance sales, with 25.8 per cent of worldwide revenue for the sector. The organisation believes the firewall/VPN market has reached maturity, accounting for 85 per cent of all security appliances shipped.
The intrusion detection software appliance market is still immature, according to IDC, but showing triple-digit growth.
Meanwhile, Datamonitor says that increasing security awareness among SMEs is driving demand for Secure Socket Layer VPNs. The analyst says the market for these will grow at a rate of 74 per cent a year over the next three years.
But the reality for many in the channel is that the average SME is at the beginning of a long growth curve in understanding and managing security risk.
Bob Jones, managing director of vendor Equiinet, reflects the views of many industry experts. "Most SMEs already have an email system and some basic protection, usually a firewall," he says.
"The opportunity for resellers is to sell additional and complementary security solutions to control viruses in emails and downloads, and limit the time-wasting effect of spam and casual browsing."
Most SMEs want something that is easy to install. Carole Theriault, security consultant at Sophos, offers the following advice to resellers: "Let SMEs try out software for a week or so. They need something that is automated and self-regulating, but if it falls over they can be given help.
"High-profile SMEs now know that they can't hide. These viruses are indiscriminate and SMEs have to cope without a dedicated IT or security guy."
Sophos estimates that there are 87,000 viruses and that more than half of email is spam. Theriault believes the key to gaining customer trust is to take the role of the educator.
"You have to explain to them that staff must be educated and that it isn't a simple matter keeping up with recent developments," she says.
Sophos emails free virus update notifications daily to help increase general awareness.
Trend Micro recently unveiled its Network VirusWall 1200, an appliance designed to detect and block threats from inside a company network. Trend claims traditional signature-based virus filtering may no longer be enough to provide protection against worms.
The company is responding to the evolution of viruses from application-based executables in email attachments to network worms that propagate through network shares, system backdoors and unpatched machines.
SurfControl, meanwhile, says firms should be encouraged to set different security policies for different company departments. It provides an online Filtering Audit tool to help resellers guide customers wanting to do this.
The security firm has been expanding its reseller base, having reported a lift in sales since it dropped its direct model.
While a wide range of spam-blocking filters is already available, there will be interest in how Microsoft initiatives such as Caller ID email, which challenges the sender's authenticity, and the new Windows Security Centre will affect the market as a whole.
Cashing in on disaster recovery
The good news for resellers focusing on disaster recovery is that many SMEs currently put it pretty low on their list of priorities.
A PwC security report in February found that 60 per cent of firms suffered an incident in the past year in which they had to recover significant data from backup as a result of failure or theft.
The fact that less than 20 per cent back up their desktops and only eight per cent test their disaster recovery plans shows there is plenty of scope for better practice.
Many channel players still feel a disaster is the only wake-up call many SMEs understand. Ian Kilpatrick, chairman of distributor Wick Hill, believes the problem for the channel is trying to sell devices that SMEs are not ready to buy.
"Often they wait for a disaster to happen before they take action, so it is difficult to get them to justify the cost of the newer products," he points out.
"The key is to talk about what it does for the business, and not get bogged down in technical issues. They don't want to be continually bothered by alarms for intrusion detection messages, for example."
Steve Case, commercial storage business manager at HP, says the problem for resellers is that firms invariably rely on disaster recovery technology that is a few years old and unable to deal with today's requirements.
Resellers must urge them to perform a 'what if' analysis and develop a relevant strategy. "Most SMEs are still reliant on tape backup and need to migrate to Nas and San solutions," he says.
Nigel Lomas, marketing manager at reseller Trams, adds: "There are clearly enough products out there but most SMEs just aren't doing enough. They need to be encouraged to do a security audit and then perhaps offered managed services."
Lomas believes it is increasingly difficult for new solutions to get a look in because most resellers are tied in with one or other of the main security vendors.
"The bigger vendors offer rebates, product marketing support and direct client management. It is difficult for new players to compete with that, and resellers are tied in to long-term commitment through that," he says.
One problem is that SMEs have no regular procedures for rolling out system patches. Because of the global rise in broadband use, viruses are able to spread faster than ever, putting renewed pressures on security procedures.
A user permanently connected to the internet can be infected within 20 minutes of a new virus being released, according to Symantec.
But some believe the SME market is notoriously hard to target. John Regnault, head of security technology at BT Exact, thinks the problem for resellers is that there are effectively two markets.
"Medium-sized companies are like corporates these days, in that they need firewall management, antivirus software and a clear upgrade policy, either internally or outsourced," he explains.
"But smaller businesses are not well catered for because the packages they use are often no better than those used in the home.
"There needs to be tighter integration between antivirus products, personal firewalls and other aspects such as software that tracks malicious marketing."
Regnault adds that medium-sized businesses need continuing relationships with their suppliers to get the best from a firewall.
First, they need a security audit and vulnerability assessment to determine the risks, taking into account the nature of the business and levels of access by employees, partners and customers. The audit generates policies that are embedded into the firewall.
The supplier can then provide support by constantly updating patches and fixes. It can also help businesses to implement a staff policy that ensures good practice, with rules such as not opening unknown attachments or downloading or copying software unless requested.
SMEs seek partners they can trust
Richard Archdeacon, director of technical services at Symantec, says that, above all, SMEs are looking for trusted partners to respond to the growing threats.
"It is no longer a matter of SMEs coping with basic software products. They need trusted partners to help them develop a range of protection measures," he warns.
"Implementing security measures is a complex task that is often done once and then not revisited until the next major upgrade," says Terry Doherty, chief executive of Doherty Associates.
"This leaves a period of vulnerability when hackers find ways around products. It is essential to keep installations at the latest state of repair if you want to keep hackers out."
Meanwhile, the growth in viruses and spam also has brought an increasing number of solutions to the problem, creating difficulties for resellers and customers alike.
Greg Carlow, managing director of VAR Repton, says: "Security is good business but it is constantly evolving and new solutions from smaller players are always being launched.
"Some of our customers in the finance sector are so keen to try them that it is difficult for us to keep up. Sometimes you see a new solution that looks good but no-one buys it. It's almost impossible to know what will succeed."
But David Ellis, director of e-security at distributor Unipalm, contends that there are rich pickings even for resellers without much training.
"The security vendors have products at good prices for SMEs. The opportunities are huge for resellers that don't necessarily want to provide high levels of specialist focus, because products are now much easier to deploy," he explains.
Many SMEs favour an all-in-one device as broadband drives up remote working, because they want a simple solution to viruses and spam. Like many in the channel, Ellis predicts further consolidation among vendors, and even distributors.
The market is also seeing more partnering deals such as the recent one between Unipalm and Interface Solutions to offer resellers a security package combining Check Point Software on IBM xSeries hardware.
Check Point negotiated a similar package for its software on Sun hardware with Unipalm rival Allasso.
Ellis says it is always possible to upgrade clients to new products or services. "If they already have antivirus software you can add functionality to protect against spam, for example.
"No single approach will be 100 per cent successful, so a combination of filters to trap spam is a good way to go," he notes.
However, a recent survey of anti-spam products revealed more than 100 products on the market, suggesting a complex search for resellers looking for best-of-breed products.
If security is so difficult for SMEs to understand and implement, isn't it time for more managed services? James Governor, principal analyst at RedMonk, thinks resellers should see this sector as an opportunity rather than a threat.
"Managed services are hardly off the ground yet but it is an obvious way forward and should be seen as an opportunity for resellers," he maintains.
"It's madness for SMEs to tie up their key people with security issues that are generic to many businesses. We had bureau services in the 1960s and 70s, so why not now?"
Although managed services for SMEs are still an embryonic market, most of the major security distributors have prepared for their arrival.
Niall McGrane, UK sales director at Allasso, says: "Outsourced managed security services are growing in popularity because keeping up with the ever-evolving threats and solutions can be very time-consuming for an SME."
Who takes the blame?
The greatest security weakness for most SMEs remains lack of staff awareness, according to research by Novell. It found that most UK employees don't wish to take any responsibility for securing their work computers.
In addition, the survey found nine out of 10 office staff felt they had no part to play in protecting their machines, saying the responsibility rested with their employers' IT departments, Microsoft or the government. Sixty per cent said they had no knowledge of basic virus-prevention measures.
More than half of the employees said they regularly forwarded spam to their colleagues, and even in today's more security-aware climate, one in 10 left their password on a note on their desks.
Novell concludes that business can be helped by developing education programmes relating to email and internet usage.
CONTACTS
Allasso (01189) 711 511
www.allasso.com
BT Exact (0800) 169 1689
www.btexact.com
e92plus (0870) 200 9292
www.e92plus.com
equIP (01256) 365 500
www.equiptechnology.com
Equiinet (01793) 603700
www.equiinet.com
Sophos (01235) 559 933
www.sophos.com
SurfControl (01260) 296 200
www.surfcontrol.com
Symantec (020) 7616 5600
www.symantec.com
Trams (0207) 555 1234
www.trams.co.uk
Trend Micro (01628) 400 500
www.trendmicro.co.uk
Unipalm (01638) 569 644
www.unipalm.co.uk
Wick Hill Group (01483) 227 600
www.wickhill.com