Even the largest enterprises with unlimited security budgets have an uphill battle against today’s clever and sophisticated adversaries, so it’s no surprise that small to medium enterprises (SMEs) are struggling to stay ahead of today’s threats.
Lutz Blaeser, MD of Bitdefender distributor Intact Software Distribution, says SMEs face their own security hurdles, the biggest of which is probably the lack of resources, both in terms of money and skills needed to implement and maintain the top security solutions.
“Coupled with this the fact that SMEs are becoming an increasingly attractive target for attackers. After all, knowing that most of these entities can’t afford the best security, makes them ‘easy pickings’ for cyber criminals,” he says.
He adds that unlike larger enterprises, security just isn’t a top priority for SMEs, who too often don’t believe that they are targets as they have nothing worth stealing. “They need to realise that all data is worth something on the black market, and moreover, SMEs can be used as a stepping stone for attackers to get at their third-party partners or suppliers.”
Security is seen as an afterthought, and something that is only taken seriously once an event has happened. “SMEs’ confidence in their ability to effectively secure themselves is also low, as they realise they don’t have the tools and budgets enjoyed by their enterprise counterparts. Also, in many SMEs, there is no dedicated security person, which lowers accountability and results in not very well informed decision making.”
Speaking of the kinds of attacks that SMEs usually fall foul to, Blaeser cites phishing, and Web-based attacks such as drive-by downloads, as being the most common. At the same time, SMEs are still relying heavily on anti-virus solutions, which while effective against known malware, cannot be relied upon to defend against today’s exploits and attacks.
Another problem, he says, is that SMEs do not have strong identity controls in place, and do not have control and visibility in terms of staff password security. “Too often identity policies are not enforced, and nor is one of the top security principles, that of least privilege, when it comes to access to information.”
According to Blaeser, despite the fact that SMEs lack the budgets and expertise to have the same security measures that corporates do, there are still steps they can take to better secure themselves. “For guys with smaller budgets, managed security services can be a huge help, as you only pay for what you use, and all the technical expertise and upgrades are handled by the service provider. It’s essentially enterprise-grade security, at a much lower cost.”
He also advises SMEs to do a thorough audit of the security solutions they have, to see where and if any gaps exist, and then focus on filing those gaps instead of throwing away much needed budget on the latest technologies. “They should bear in mind that perimeter security is only a small piece of the puzzle, and should look at some tools that secure endpoints too.”
Finally, SMEs need to continually review and enforce their security policies. “Policies created a few years ago will no longer be effective. Make sure guidelines and procedures stick with the times. These will include policies around the use of mobile devices and social media, as well as the right way to access cloud applications and similar,” Blaeser concludes.
