Business gets riskier for SMEs

With time and money short, and their vulnerability to threats higher than ever, it is becoming more difficult for small businesses to keep up with security requirements. In part two of our five-part series, Paul Bray looks at how they can protect themselves

As their use of IT becomes more sophisticated, SMEs are increasingly facing the same security threats as their larger brethren, but they are left without the same levels of awareness or protection.

“As soon as SMEs use email, connect mobile employees or remote offices to their central network, maintain a web presence or provide greater access to third parties, they open their business to risk,” says Viv Francis, channel director at internet security vendor Check Point.

The more SMEs rely on technology, the more points of vulnerability they introduce and the greater their potential loss if anything goes wrong, from missed business opportunities and system downtime to financial loss and damage to reputation.

Motives and methods are chan-ging as the happy hacker morphs into the cyber-criminal. Instead of launching random attacks and causing trouble for the hell of it, criminals are increasingly seeking financial gain by stealing data, breaking into bank accounts or bleeding system resources dry. Instead of battering blindly on every door, malicious processes are deliberately seeking out badly protected systems and targeting specific vulnerabilities.

But despite making big advancements in their IT knowledge, many SMEs lack similar sophistication in their security defences, which are often outdated or ineffective, according to Simon Heron, director at managed service vendor Network Box.

“SMEs are vulnerable because they don’t have time to investigate whether they should patch their defence, or to locate, install, test or implement patches,” he says. “Meanwhile, firewalls and Unified Threat Management [UTM] systems are getting more complex, and badly configured systems are usually why systems get hacked.

“The smaller the company, the more likely it is to have security flaws. Most at risk are firms of about 10

people that are big enough to have a network, but too small to have a dedicated IT team.”

Larger SMEs may also be vulnerable if their systems have grown piecemeal and have been maintained by amateurs or a single, overworked IT professional.

“All too often the bias of activity is towards managing the network, and security is only covered on an ad-hoc or fire-fighting basis,” says Lewis Honour, security practice manager at VAR Logicalis.

After various high-profile media stories about viruses and phishing attacks, most SMEs have a basic awareness of IT security. But this is often inadequate or outdated, and watertight defences are sometimes only bought on ‘the horse bolting the stable door’ principle.

The bare minimum an SME should consider, according to Gary Duke, sales director at VAR Lan 2 Lan, is a firewall and a desktop and server anti-virus, an anti-spam and an email content-filtering solution, and a VPN for remote users.

UTM devices are appealing, says David Ellis, director of e-security at distributor Unipalm. “There are now several solutions on the market that are particularly suitable for SMEs, which combine a number of the key IT security products [firewall, anti-virus, intrusion detection, anti-spam, content filtering] on a single appliance,” he says. “This makes them far more affordable than deploying separate ‘best of breed’ vendors, and makes management far easier for the customer.”

Heron adds: “[Analyst] IDC forecasts that UTM security appliances will constitute 50 per cent of western European security appliance revenues for vendors by 2009, growing at 61 per cent compound annual growth rate.”

Apart from the technologies already listed, other products bought by SMEs include intrusion prevention, anti-spyware, email encryption and Wi-Fi security. Mobile security will also be a major growth area this year, says Simon Geach, channel and retail sales manager at anti-virus vendor Kaspersky Labs.

Most SMEs prefer an out-of-the-box solution, according to Carole Theriault, senior consultant at anti-virus and internet security vendor Sophos.

“They [SMEs] prefer a product they can set and forget: not only because they have fewer IT specialists available, but because a typical SME network is fairly standard,” she says. “This means that default protection packages are often suitable.”

Many SMEs also like simplicity, according to Ian Masters, sales and marketing director at security distributor Sunbelt. “SMEs tend to buy whatever is easiest, especially if it ticks all the boxes,” he says. “So many prefer to buy all of their security products from one vendor.”

But some are more discerning,

says Honour. “Defence in depth is the type of logic SMEs understand,” he says. “Implementing a layered, multi-vendor solution ensures that, if one manufacturer has a hole that allows an attacker through, it’s unlikely that the next level will succumb to the same attack.”

Honour also doubts that price is the over-riding factor. “Obviously cost is a concern, but SMEs that are serious about protecting their business are rarely driven by this alone,” he says. “Other factors, including ease of deployment and confidence in the product, also come into play.”

Sal Viveros, representative for intrusion prevention and risk management vendor McAfee, says that often SMEs are more likely to be guided by their reseller than their wallet.

“Unlike large-scale enterprises, SMEs don’t tend to shop around for a competitive price, but buy based on the recommendations of an external consultant,” says Viveros.

The SME label covers everything from micro-businesses to sizable concerns, and their buying habits differ significantly, according to Patrick Dunne, regional director of antivirus and internet content security vendor Trend Micro.

“In firms with up to 100 users, resellers tend to be selling to business owners that are operating within tight budget constraints,” he says. “They need to educate them so they can understand the value of security.”

“Among larger SMEs, resellers are selling to IT professionals, but not IT security experts. These IT professionals are technically competent, but they’re stretched and therefore expect their resellers to recommend solutions, not a pick-list of products.”

Just whom resellers should approach within a potential customer varies according to the size and make-up of the customer. A few SMEs are taking on security officers, or deputing up an existing staff member to do the job part-time, although this may encompass all aspects of security and compliance, not just IT.

Otherwise, says Heron, “for small companies the owner is responsible for security purchases. As the company grows it’s the IT manager who presents a business case for security purchases to the managing director. In medium-sized enterprises we see IT managers being given a budget that they can spend, but anything over that budget must be approved by the finance director.”

SMEs like to buy from companies they know, but if they have no IT professional on the staff the names of even the market leading security vendors may be unknown to them. So they are likely to fall back on their incumbent reseller for security advice, which gives VARs that specialise in selling to SMEs an in-built advantage, at least with existing customers.

“SME specialists and local resellers are in the best position to sell security into small businesses,” says Ian Moyse, channel sales director at internet security vendor BlackSpider.

“Top-end security specialists can demand high rates for their expertise, but this can be too costly for SMEs. Resellers are more adept at balancing appropriate expertise with affordable cost.”

Security vendors need resellers badly if they are to penetrate the SME market. Moyse adds: “Larger vendors often want to get into the SME space, but lack the route to market, an SME market profile or the licensing or technology packaging that allows SMEs to buy and use their technology easily. So SME resellers are a crucial conduit for vendors.”

However, resellers must take security seriously if they are to succeed, warns Throop Wilder, vice-president of marketing at UTM vendor Crossbeam. “Unlike networking, security has become complex and isn’t easily learned in just a few months,” he says. “Resellers have to be willing to invest in their people and training.”

Specialist security VARs may move down into the SME sector if they start losing business to system integrators in their traditional enterprise markets, says Mik Stevens, security market manager at vendor Cisco. But to succeed with small firms they will have to invest in small business-focused marketing, claims David Abbot, product marketing director at internet appliance vendor Equiinet.

Vendors say there are also opportunities in security for infrastructure VARs and e-commerce specialists. Andrew Davies, business development manager at SME security vendor Mako Networks, says: “A number of our resellers have had success in bundling security with broadband, with a monthly fee that recoups the cost over one to three years.”

Proper training is important, and security and networking vendors will normally require a partner to have completed, or be taking, the appropriate qualifications, according to Rob Hughes, security and wireless business manager at security distributor Comstor. VAR Lan 2 Lan has found that a thorough understanding of networking is as important as security skills, Duke says.

SMEs are usually the most business-focused of all IT buyers.

Often, the person the reseller is negotiating with is spending their own money, and if they cannot be persuaded that a security solution will benefit their business, they are un-likely to buy it.

Honour says that forward-thinking resellers are working with SMEs to identify their security threats and understand the areas of the business most at risk before suggesting how to manage security controls and protect the business. The selling of ‘tin’ is very much a tertiary objective.

Chris Lindsay, head of broadband propositions at BT Business, says: “Resellers need to help SMEs to understand the potential cost to their business of a typical security breach, as well as broader concerns such as the legal implications of not protecting customers’ data.”

Duke says: “A comprehensive risk assessment and security audit helps organisations to understand where their risks, threats and vulnerabilities lie.”

The fly in the reseller’s ointment is often that, while they want (or at any rate ought to want) a consul-tancy based sale, SMEs seem determined to get a lot for their money.

“An SME’s questions are likely to be less technical, but more frequent,” Moyse says. “They will be more reliant on the reseller for advice. For example, [they will want advice about] how to set up and configure their firewall, wireless router or anti-virus software.”

Stevens suggests a way around this conundrum of low value and need for high consultancy. He says: “Resellers should look for packaged solutions with greater automation of process, advise customers via generic best-practice worksheets, and offer after-sales support as a value-added service. Good on-site delivery of solutions will minimise after-sales problems.”

Resellers can still earn strong double-digit margins on specialist security products, according to vendors.

But margins on commodity products can be much thinner, and tend to tail off when you get up into the medium-sized enterprise market where there are fewer potential customers and competition is stiffer. Security sales to small businesses command higher margins, but since the total value may only be a few hundred pounds, few resellers are going to make a fortune.

So, as you might expect, the big money is in services and added value. “For every £1 of Microsoft security that’s sold, partners are selling £4.18 of services. This is where the financial opportunity lies,” claims Mike Pallot, channel development manager for security at Microsoft.

Wilder says: “The resellers that survive and thrive do so primarily because they add value through design, installation, training, professional services, monitoring and troubleshooting. Risk assessment, business continuity and compliance are three classic examples of where SMEs are seeking professional advice and services.”

There are plenty of opportunities for repeat business, both as the customer’s needs grow and change and as the technology develops.

“Resellers can add complementary products, or trade out products that have become obsolete, since traffic volumes and broadband pipes are growing quickly,” says Ian Kilpatrick, chairman at security distributor Wick Hill. “Another opportunity is upgrading remote security to the level of head office. And, of course, in a couple of years traffic will have grown again.”

One of the biggest challenges faced by security resellers is keeping themselves, and their SME customers, up to speed on the latest threats and solutions. But even this cloud has a silver lining, according to Abbot.

“Happily for vendors, distributors and resellers, this area of the market shows no sign of slowing,” he says. “Each year brings new threats and new opportunities.”