For the average small to medium sized enterprise, which faces the exact same IT security challenges as large enterprises, buying and maintaining countless point solutions to address security threats in what is really a reactive patchwork manner is an expensive business, says Richard Broeke, sales manager at Securicom.
Costs really start to stack up when there are 25 to 1 000 users needing a variety of point solutions on their workstations, and all of them need updating every year.
Typically, there comes a trade off. Companies either stick to just the basics, or they don’t update with the appropriate frequency to keep pace with threat evolvements. Neither is good enough. Both leave their systems vulnerable to newer attacks.
Top three security essentials for the small business
E-mail security, endpoint security and a robust device management solution are the top three security essentials for every small and mid-sized company.
E-mail security is more important now than it has ever been. In South Africa, one in 178 e-mails are identified as malicious – putting the country in the top four geographies where malicious e-mail traffic is high (Symantec). Malicious code includes programmes such as viruses, worms and Trojans which are secretly installed on computer systems to destroy or compromise data or steal sensitive information.
Generally, attackers aren’t concerned about the size of the organisation. As long as there is a stable and constant connection to the Internet, small businesses can be targets.
In fact, small to medium-sized businesses are often perceived as softer targets because they aren’t likely to have high level security measures in place as larger corporates typically do. And sadly, this perception is not far off the mark.
Globally in 2012, 50% of all targeted attacks were aimed at businesses with less than 2 500 employees, while 31% of attacks were targeted as companies with fewer than 250 employees (Symantec). Money in the bank, customer information, and intellectual property are what they are after. Most businesses have all three – valuable fodder for cybercrime syndicates.
Unmanaged mobile devices are a gateway for hackers
Threats targeting PCs still outnumber those aimed at mobile devices, but smartphones and tablets have come under increasing attack in the past two years. Between 2011 and 2012, there was a 58% increase in mobile malware (Symantec).
Some pieces of malware are designed to gather information such as phone logs, user location and SMSes, while other pieces of code will install adverts in the device’s photo albums and calendar.
Banking Trojans monitor devices for banking transactions, gathering sensitive details like passwords and account numbers. Then there is malware which causes a device to send out SMSes to premium-rate numbers.
Aside from the personal risk and costs associated with these kinds of infections, employees using unprotected mobile devices to e-mail, store company data, and connect to the Internet or company network, are putting company networks and information at risk.
The rising tide of mobile malware has made the implementation of mobile device management and security solutions a must for any business that allows employees to use portable devices to do their jobs and access the corporate network.
Back to the endpoint
It’s a discouraging fact but, employees are the biggest threat to a company’s IT and data security. With so much emphasis on protecting company networks and data against threats from the net, the threats that can be perpetuated from inside the ranks are often ignored.
On one hand there is the risk of employees unwittingly depositing viruses and other malicious content onto company resources by plugging-in infected peripheral devices like iPods, cameras and memory cards. But, on the other hand there are more sinister threats arising from employees’ access to information on company systems.
Each and every endpoint should be equipped with its own firewall to protect it against threats that don’t originate from the Internet, such as those spread via e-mail or infected discs. A desktop firewall will also stop unsolicited outbound traffic from infected computers which could lead to infections and security breaches in other computers and external programs.
A decent endpoint security solution should include antivirus, antispyware, desktop firewall, intrusion prevention, device control and application access control.
Blocking the path of least resistance
We are increasingly seeing smaller companies, which simply cannot afford the knock, being attacked. Companies need to carefully weigh up the costs of having decent measures in place against the costs of skimping on IT security.
IT security must really be seen as a critical business priority. The more layers of security there are, the more difficult it is for cybercriminals to access and compromise data. But, the security essentials should be in place.
Instead of purchasing and maintaining various point solutions, small and mid-sized businesses should consider outsourcing their security. Managed, cloud-based security services, contrary to common perception, typically have a lower cost of ownership and ensure that IT security costs are predictable. This brings best-of-breed technologies within the reach of smaller businesses.
Outsourcing IT security to specialist consultants allows companies tap into the skills of a team of experts whose business it is to stay ahead of security threats and trends.