Tony Lock, originally published on CRN
It’s got the point where the majority of small and medium businesses (SMBs) take the internet for granted. The Web is exploited as general information resource and email is used to communicate internally and externally. The army of developers out there willing to knock up a website for very little money has then led to most SMBs now having some kind of Web presence; indeed many are actually trading on the Web. From the perspective of an outside attacker, SMBs today have created quite a big ‘attack surface’ to prod and probe for vulnerabilities.
Meanwhile, the wide range of research that we carry out at Freeform illustrates that SMBs are frequently acquiring and relying on quite a bit of electronic data in order to operate, which is often confidential or commercially sensitive in nature. Data associated with applications such as accounting, contact management, sales, service and logistics resides on a range of devices. These include file servers, NAS drives, PC hard disks, and persistent memory in smartphones and tablets – many of which are neither properly secured nor protected in terms of encryption, backup and recovery.
Add to all of this the general lack of risk awareness of the average user or, come to that, quite senior business managers, and there are a lot of accidents out there waiting to happen. Never mind the fact that IT windows are wide open with unlocked doors aplenty just waiting for theft and fraud to take place.
But so what? Does it really matter if SMB organisations suffer from security breaches or data loss?
The reality is SMBs make up a huge chunk of the UK economy, and if you add up all of the distraction, cost and lost business taking place every day as a result of the fallout from security and data protection issues it is clear that the problem is significant. Add in the effort required to troubleshoot and solve the issues that arise and the impact on the nation’s bottom line is probably quite considerable, although almost impossible to quantify whatever any particular analyst house or security vendor says.
Furthermore, the supply chains and sales channels of large enterprises frequently encompass large numbers of SMBs, thereby adding to the associated risk exposure highlighted above. All in all, businesses are at risk, and therefore so are their customers. Security and data protection have long been the invisible elephant in the room, but now things need to change dramatically, especially as governments and other regulatory bodies seek to impose legislation to minimise security breaches.
How can SMBs look to improve their security and data protection, disaster recovery facilities? The challenge centres on the fact that few SMBs fully comprehend the nature of the threats to which they are now routinely exposed. Perhaps of even greater importance is that even fewer have a good grasp of either the technological solutions available to help them improve their risk management exposure or the process changes required to go alongside security and data protection technology enhancements.
Step forward the channel. The majority of SMBs have neither the time nor the skilled resources to go out and assess technology solutions. In essence, they don’t know what they don’t know. And as the figure above shows, many business managers and employees do not understand just how important IT systems are to the organisations routine operations and the risks users face every day. Even when such matters are considered, many IT generalists are unaware that many threats can be addressed without having to break the bank, and with solutions that can be maintained and operated long term in the business.
But when organisations do recognise a risk that must be addressed, perhaps because of legislation or after they have suffered a breach or data loss, the IT channel organisations are where they will look first for help. One possibility is for channel organisations to try to bring up risk management with their customers when they are discussing other, routine, IT matters. Our conversations with channel partners who adopt this approach indicate great potential to improve the security posture of SMBs whilst the channel partners themselves clearly stand to benefit through supplying additional, value -added solutions to a portfolio where margins are always being squeezed. Win-win all round.