Outsourcing IT security

Data security is becoming ever more complex. SMEs can outsource their security issues to experts who can come up with solutions to suit their budget.

Advancing technology is a double-edged sword. On the one hand you have more sophisticated tools for doing business and you can operate globally with relative ease. On the flip side, you have the cream of the world’s cyber criminals circling your doorstop looking for opportunities to do what they do best and that's not good news for you or your customers. The security issues faced by SMEs are changing and even if you think you're immune from most of them, circumstances may conspire to determine otherwise.

While a good spam filter and some antivirus software might have sufficed as a security solution a few years ago, this is no longer the case. The threats your business is likely to face in future are morphing from noisy nuisance viruses which, like drunken revellers, make their presence immediately known, to thieves operating with stealth, their aim being to get in under your defences, snag their prey and leave without triggering an alarm. There is money to be made in stolen data and the price your business will pay for not adequately protecting it can be very high.

Security is a complex issue for SMEs. Stephen Sims, head of marketing at Brennan IT, an IT and telecommunications solutions provider suggests, "In the SME market, many businesses are at significant risk because they don’t have the funds that enterprise players have and they're taking it for granted that some of their providers are managing their security for them without actually confirming that they are." Another concern Sims has is in the solutions being used. "Price and convenience tempt some SMEs into using consumer-type products in the belief they'll be okay for them. At the lower end maybe they will be, but at the top end they’re not robust enough to support multiple users and the high levels of security that some of those players want," he explains.

Protection Services

What concerns James Turner, adviser at Intelligent Business Research Services, is the expectation that SMEs have the knowledge to manage something as complex as security within their organisation. "The vast majority of business people aren’t technology specialists and most IT people aren't security experts. So it’s spectacularly unreasonable to expect them to put their security hat on for half an hour every week and make sure everything is running well. They simply can't do it with any degree of effectiveness." His suggested solution is for SMEs to identify all the low value tasks that are highly “commodified”, such as email filtering, and outsource them. "There are plenty of organisations that will let you redirect your web data through their servers, and they’ll clean out the spam and ensure you don’t get viruses coming through your email systems. It's something that really should be done externally."

If an organisation has a justifiable preference for keeping some level of control, such as the need to enforce its own security procedures, there are vendors that will supply a hardware box which can be remotely managed and which will perform the same filtering process. The benefit of a hosted solution however, is that someone else takes care of the setup and ongoing maintenance. Using a virtual private network, an SME's internet data can be routed through the filtering company’s servers and the SME’s own network can operate securely behind that protective layer. Some providers offer this level of protection for networks located in physical offices and others offer solutions that extend to mobile users allowing them to connect securely to the corporate network bypassing the internet. Some solutions on offer have coverage within Australia and New Zealand and others extend into South East Asia to cover businesses with presences there.

{mospagebreak} 

Derek Morwood of Secure Computing Corp sees a role in the SME market for filtering and management performed in-house. These solutions use hardware boxes purchased by the SME and which are configured and managed by a knowledgeable specialist employed in-house or by the hardware reseller. "These security solutions are very cost effective," he explains. "In most cases you just buy the box and that's it cost-wise." Where a feature is provided via a subscription service, such as web filtering or spam filtering, he adds, "SMEs are able to leverage the same tools which enterprise customers use at a price appropriate to them”.

Morwood is concerned that SMEs don't consider filtering or intrusion protection as the beginning and end of their security needs, and he cautions SMEs against closing one security door while leaving others wide open. "People forget about physical security to their offices. They spend tens of thousands of dollars on their internet security and then they don’t lock the back door. There are still businesses operating without internet firewalls, which is absolutely astounding. These are known issues and people still ignore them hoping they won’t get broken into or hacked.

“The key point to realise is that there is no excuse, because today enterprise level security tools are available to SMEs at their price point," he adds.

The proliferation of mobile devices in the workforce brings with it special security problems. For SMEs that outfit employees with handhelds such as the Blackberry, security and spam prevention are vital. "We're seeing a lot of people who have Blackberries being overrun with spam, to the extent that it's becoming difficult for them to do any serious work with their devices," Andrew Antal, managing director, MessageLabs explains. "We're recommend a layered approach to security. For businesses using the Blackberry server we suggest security be implemented on the server as well as at the internet level."

Social Networking

Antal also cautions SMEs to be aware of the potential for security risks involving employees using instant messaging applications such as Yahoo and MSN Messenger. He explains that there are tools that can monitor and scan conversations in these applications but first SMEs must understand the risks involved. Social networking applications such as My Space and Facebook also pose risks in addition to being a workplace distraction. These sites invite users to download applications and extra features that have the potential to contain compromising code. This is a feature of the new style of threats–they will be downloaded by your users and not delivered via mass emails such as the ‘I love you’ virus of the past.

While internet content filtering may seem more of an HR management issue than a security one, it often falls in the same bundle as security. This is not unreasonable when you consider that employers can be held responsible for the acts of their employees so someone surfing an adult-themed website and viewing inappropriate images can become a potential liability issue for the business employing them. The September 2007 State of Security Report undertaken by Sydney research group StollzNow for Websense Australia found that while, on average, employees believe they are spending three quarters of an hour per day on personal internet use, their IT managers think they spend twice that, and of the employees surveyed, 8 percent admitted to viewing adult material at work. Because of this, SMEs considering security issues should also consider some form of content filtering or site monitoring to manage where their employees are surfing and what they are viewing on the business’s time.

Security risks aren't limited to outsiders and employees still pose the biggest security risk to an organisation. Another finding of the State of Security Report was that "53 percent of employees surveyed said they had sent work documents to personal email accounts (and) 1 per cent had knowingly distributed confidential company documents.
"

“It makes a lot of sense for organisations to ensure their external defences are secure, but we also urge managers to consider threats from within and particularly the way sensitive information can easily slip outside the walls,” suggests Joel Camissar, ANZ country manager, Websense.

{mospagebreak} 

Vince Lee, SafeNet’s regional sales manager for Australia and New Zealand, agrees and suggests SMEs should be concerned about data breaches. “Eight out of 10 times data is not taken by someone hacking into their network, it's by employees stealing the data or losing it when they leave a laptop in the back of a taxi or it's stolen from their office, home, or car. The loss of that data can create a major PR problem for any business because the data has a lot of context to it. The SME is exposing its own intellectual property or marketing plans or its customers' data." The solution, he suggests, is to encrypt the data so it can't be accessed. "This can be done at a low level so that the security can't be bypassed and it can be further strengthened using two- factor authentication where a user needs both a password and a USB token to access the data."

Lee points out that it's not only your organisation's data at risk, it is often also the trust your clients and partners have in your business. "People are mindful of things like identify theft and they don't want to see their information being exposed to people outside the particular SME they have trusted it to." Paul Cooper, consulting software specialist for IBM Software Group, Australia and New Zealand, adds, "If you’re a customer doing a lot of purchases via an organisation and they have a major breach, frankly that would be a major question mark on whether you would continue to do internet-based transactions with that organisation. The impact to them would be enormous. And for a lot of SME organisations, the internet is their major, or only, transaction channel.”

Channel Partners

The process of choosing a security solution for a business isn’t one to be undertaken lightly and it's a complex issue it itself. Scott Robertson, Australia and New Zealand regional director of WatchGuard, suggests SMEs use a channel partner that understands the technologies and can advise them on the best solution for their environment. “This way they get a clear understanding of the available technology, they avoid the potential headaches of trying to configure it themselves, possibly incorrectly, and they harness the experience of the channel partner who is the expert rather than having to find and research the market themselves."

Regardless of what you consider your own business security needs to be and what you're prepared to risk, you may not be the final arbitrator of what security issues you address. Increasingly, SMEs are being forced to implement stronger security solutions by third parties such as governments, the credit card companies and banks that maintain their merchant accounts and even their suppliers and large corporate customers. Pierre Noel, Worldwide Evangelist, ISS & Tivoli Security, IBM Software explains: "There is a domino effect occurring where small and medium size organisations, by the nature of their relationship with larger organisations are becoming subject to stronger security policies imposed by the larger organisations. The larger organisations want to ensure that their associated SMEs are not a weak link in their security chain and to ensure there is little or no risk of an intrusion or security incident induced by someone attacking the SME as a way to access the valuable data of the associated larger organisation."

In addition to dealing with security requirements filtering down from their suppliers and the larger organisations they deal with and those that their customers expect of them, SMEs also face the implications of standards imposed by credit card companies. The Payment Card Industry Data Security Standard, which is in force for Australian small businesses from January 1 this year, requires SMEs with merchant accounts to put in place a series of mechanisms and rules to minimise the risk of credit card information being stolen. “This includes installing and maintaining firewalls, encrypting transmission of cardholder data and maintaining proper policies and testing procedures,” explains Noel.

Security is like any other business problem. There are experts and providers with the skills to help, however it's the SMEs responsibility to take the initial steps to face the problem and seek out answers that meet the business’s needs and which do so within its budgetary constraints.

Related Stories