Special report: Sharpening the message
SMBs are being crushed under the weight of vendor and supplier IT security jargon. Doug Woodburn looks at how the channel can help simplify the message
Sir Richard Branson's recent calls to rally behind SMBs may have been aimed at the government and big banks, but he could so easily have been talking about the IT security industry.
In the words of the multi-billionaire, small businesses are the engine of the UK's economy and yet they are being stifled by a lack of financial support.
But, according to participants at a CRN roundtable commissioned by Sophos, SMBs have been similarly let down by the IT security supplier community -- which has often been more focused on ramming point products down their throats and blinding them with jargon than shoring up their security.
A more simplified approach is needed, they agreed, during a discussion that raised questions about whether or not SMBs are getting the support they need from the channel.
Arguably, IT security has never been more critical for SMBs as they forge on down the fraught path of bring-your-own-device (BYOD).
Failure to properly fortify their defences could be as costly to their chances of survival as a failed application for a bank loan, with one in five UK SMBs suffering a network outage due to a malware infection in the past year, according to research from Sophos.
SMBs - many of which lack a dedicated IT department - are also being overwhelmed by a growing barrage of terminology employed by the industry. BYOD, along with data loss prevention (DLP), mobile device management (MDM) and advanced persistent threats (APTs) are among the IT security buzzphrases to have sprung up in recent years.
Steve Cox (pictured, right, at the 2011 CRN Channel Conference), chief technology officer at VAR TSG, said it is time for the industry to rein in the jargon and focus on bolstering their customers' defences.
"I think the industry does a good job of confusing people," he claimed. "There are lots of acronyms and a lot of people with similar products under different names. For an SMB buyer who just wants to get on and run his business, the world of security can be a minefield.
"When you start talking to a small-business owner about encryption, DLP, BYOD and MDM, it can become a little overwhelming. Over the years, we have failed the community by not giving them the right messages at the right time, and I think we just need to be cleaner on the message."
Cox praised the approach of vendors such as Sophos, which he said have moved away from inundating SMBs with confusing jargon towards a more simplified and unified approach (Sophos under the banner of Complete Security).
Chris Pace, product specialist at Sophos, said Complete Security is about eschewing a point product approach in favour of providing as much of a customer's security needs as possible in one place, while ensuring they receive the maximum value from their licences.
"Very few vendors want to talk about this, as it is probably only us and McAfee that can deliver all of it.
"The nature of the economy is that people are looking to consolidate and do more with less, and this helps them do that," he added.
According to Sophos' research - which was carried out by research house Vanson Bourne and involved 571 IT decision makers globally - ease of use and low cost of ownership are now SMBs' top two considerations when choosing a network security solution. Some 35 per cent of UK respondents said the former was the most important factor, with 29 per cent plumping for the latter.
But the industry's failure to move away from point products has sometimes made these requirements impossible to meet.
Cox said the ability to manage a suite of products, including AV, DLP, email and web, from a single console, was his top priority when picking IT security vendor partners.
"For us it is not about how we can drive more revenue out of the products we sell, but how we can provide more efficiency in how we deliver them," he explained. "I am talking to the vendors more and more about management. It is this that will allow us to deliver the service to our customers at a price that is right, and not the product."
Jon Martin, product group manager at distributor Computerlinks, agreed: "I think you will see the security industry continuing to evolve and more and more acronyms coming in as the complexity increases.
"Having one common platform, or vendor, offering one functionality from a single management perspective could be the answer, particularly for the low end of the marketplace."
Everything is connected
But the roundtable participants were not done with the self-flagellation as the security industry's repeated failure to keep pace with technology developments came under scrutiny.
Almost a decade on from the start of the virtualisation boom, virtualisation security is only now beginning to take off, for example. A similar security delta could arise with BYOD if the channel fails to educate end users on the security implications of connecting employee-owned smartphones and iPads to the network.
Make no mistake, BYOD is a small-business-led, rather than enterprise-led trend. According to market analyst TechMarketView, last year 69 per cent of the UK's 5.2 million BYOD users worked for firms with fewer than 10 employees. By 2016, the figure will still be as high as 45 per cent.
This makes it even more critical for the channel to ensure that small business owner-managers put security at the top of the BYOD agenda.
Ian Kilpatrick, chairman of distributor Wick Hill, said: "One of the biggest failings we have as a community is the failure to get that concept of risk assessment in before implementation."
"I have been around for a long time in this industry and security is always a bolt-on extra, rather than the first thing in the door.
"If you take BYOD, it is much easier to give somebody a secure device than to say, ‘you know that really neat device you've got? We're going to change some of the functionality on it, it is going to feel worse and it is going to cost you more'.
"As a community, we have failed over 30 years to educate on the concept of risk assessment prior to implementation. Everything we sell, be that virtualisation or encryption, we are always behind the curve, and it is always our fault."
Pace agreed that the advent of BYOD and flexible working had shifted the goalposts for SMB security providers. Vendors can no longer get away with cutting down their enterprise security offering, putting it in a smaller box and charging less, he said.
"That is not good enough," he added. "The smaller business is as connected as the large enterprise. We have to make sure those smaller businesses have just the same amount of protection as any large enterprise we have served, and we have recognised that as a vendor."
Having said this, VARs should not be forcing SMBs to adopt BYOD security if they have more fundamental security gaps to plug, Kilpatrick warned. Small businesses' IT security spending habits are often informed by the media headlines and the most successful suppliers will be those that steer them back to reality, he said.
Laptop encryption could be one basic area they have neglected, Kilpatrick claimed.
"BYOD is top of mind because everyone is talking about it, but [SMBs] have lots of other risks inside their organisation that they have skipped past to deal with BYOD," Kilpatrick (pictured, right) explained. "The role for the channel is one of education and discussing as a trusted adviser which threats are the most important for them, not the ones that are top of the news."
Refrain from navel-gazing
IT security spending has remained insulated from the downturn, with network security spending set to hike by eight per cent this year, according to Infonetics Research. Sophos' survey suggests that 51 per cent of UK SMBs will hike their IT security budget in the next year. Just 10 per cent expected budgets to decrease, with 39 per cent anticipating they will remain flat.
But TSG's Cox had his doubts as to whether all SMBs are spending their budgets wisely. Many wrongly adopt an "AV-is-enough" attitude and are neglecting web-born threats, he said.
"When you drill down into a lot of support calls, you find it is a malware or adware problem that has come from the web and people seem to think their AV should have picked it up," Cox said. "Web security is the one underserved market we have. AV is a big spending point, email security is too, but we would love to see them spend more on the web."
Although antivirus is set to account for more than a tenth of a global enterprise security market worth $22.9bn (£14.5bn) this year, according to Canalys, the grand old man of the IT security market may have had its day, if detractors are to be believed.
AV's image as yesterday's man was enhanced further when Flame - the latest strain of weaponised malware to strike - evaded detection from 43 AV tools.
Sophos comes from an AV heritage but in recent years has diversified into data and network security through its acquisitions of Utimaco, Astaro and Dialogs, which specialises in MDM.
Pace said the proliferation of threats calls for a blended approach to security, but urged the industry not to get too hung up on high-level threats such as Flame or Stuxnet.
"What we deliver today is not just AV," he added. "It builds in web protection, host intrusion prevention, client firewall - all the things you would expect to have to secure a laptop or desktop.
"It is unlikely that you will see an explosion in threats such as Flame. The recorded instances of successful working installs of Flame is something like 200 and we are seeing 185,000 bits of unique malware code coming into our labs every day.
"So we need to make sure that the biggest surfaces for attack are the areas where we have the holes plugged, and those areas are the web and unpatched applications - which are on the increase because of BYOD. While Flame and Stuxnet are all very interesting, it's all just a bit of navel-gazing."
Computerlinks' Martin agreed: "Flame and Stuxnet are very high end but we are seeing an increase in targeted attacks, through social media and profiling of customers. The solutions need to adapt to that. We cannot forget traditional security defences, we just need to layer on top of them."
In a May interview with the Observer, Richard Branson called on the government and banks to boost support for SMBs to help yank the UK out of the deepening double-dip recession.
Sophos' Pace argued that the IT security industry has a part to play in ensuring that the UK's 4.8m small businesses are in a position to do that.
"The expectation in this country is that small businesses will drive our economic recovery," he said. "But if we are not securing those connected businesses, how can we expect them to drive that recovery when at the moment they are not getting the attention they need and have been a little unloved?">