Q. Do you think that small businesses are aware of security issues?
Paul Dadge: I think more businesses are becoming aware, thanks to the media, that issues really do exist and that it is not just a myth that you can get a "virus" on your PC.
The issue of spam has been apparent for some time, I think possibly the failing here is that businesses do not realise that there are ways to combat spam.
Graham Barrow: Probably roughly 50% aware.
Caroline Hodson: For many small businesses, IT issues generally are not on their priority list, particularly now that survival for most small businesses is what is keeping them awake at night, and the key challenge with that is cash flow.
However, I think that most of the businesses will have an awareness of security issues, but more as a consumer than a business owner. They are likely to understand the need to have security, but will rely on their reseller in terms of how much and what the implications for their business are.
Krunal Patel: Depending on what industry the business focuses on, the answer is yes and no. But on the whole, not many small businesses are aware about potential security threats to their network and corporate data.
Tim Garratt: Yes.
Q. What security issues do you think small businesses are most concerned about?
Paul Dadge: Anything that means information stored on their systems can be accessed outside of the corporate LAN will cause concern.
Graham Barrow: Viruses and unauthorised access.
Caroline Hodson: They will be concerned about viruses that can impact productivity. They are also concerned about mobile working and whether connecting virtually will enable malware (though they will not think of it as malware, rather viruses or phishing).
Data will be at the top of the list: how can I ensure no one gets access to data either about my business (financials) or my customers (commercial).
Krunal Patel: Viruses, spam, pop-ups when browsing the internet.
Tim Garratt: Filtering out spam from real e-mail.
Q Small businesses are just as susceptible to threats as enterprises. Do you believe they are aware of this?
Paul Dadge: I think they are more susceptible to threats, because small businesses do not have the same education as enterprises around use policies.
Graham Barrow: Yes, but they tend to think that it won't happen to them.
Caroline Hodson: No. Quite simply they will take the "we are not big enough for others to bother trying to take our data" approach.
Krunal Patel: No. They take this matter lightly, asking who would benefit by attacking their IT system.
Tim Garratt: No. They believe hackers and cybercriminals only attack larger companies.
Q. Have you seen a move towards remote working, and if so, what measures do you suggest small businesses put in place to protect themselves?
Paul Dadge: More users want the ability to work from home. However small businesses need to appreciate that using passwords such as abc123 or other people's passwords is not appropriate when accessing systems externally (or internally for that matter).
Remote workers should look at implementing a complex password policy and/or two-factor authentication.
Graham Barrow: Definitely. I would suggest a good quality firewall.
Caroline Hodson: There is definitely a move towards it and very few measures have been put in place.
In the current climate many small businesses will be moving to home working to keep overheads down. However, they still need to be sure they can maintain immediate contact. This will include the use of instant messaging, as well as e-mail, and the implications of that.
Small businesses, unless they have some sort of technical bent, will not understand the scale of the security issues and the fact that remote working requires additional security in the home environment. If they have a server then we can put security in place for them. If not, then the reseller can host the security for them and manage it remotely.
Krunal Patel: Yes, there are many customers who want total connectivity to their offices while still on the road.
We suggest they secure and ringfence their network with a hardware firewall. But also use the disguise such as Interscan Virus wall to best protect their network from possible denial of service attacks and abuse.
Additionally, we always stress VPNs and FTPs using encryption, rather than just accessing over the web.
Tim Garratt: Yes and we recommend all remote services secured using certificates and remote desktops only accessing from a SSL VPN.
Q. As a reseller, are you seeing an increase in the time spent on consulting and advising?
Paul Dadge: We now have a virus response team on a rota basis to respond to both clients and non-clients which are suffering downtime through a virus outbreak.
Graham Barrow: Not a major increase.
Caroline Hodson: The shift towards services and consultancy has been ongoing for the past few years, it is not a recent development. However, with no margin now on hardware and challenges elsewhere, this will be a continuous shift.
At Trend Micro we have developed a number of solutions that will help resellers create consultative relationships and enable them to provide a more proactive advisory role, such as remote management, as well as a series of SAAS solutions: hosted messaging, hosted security and so on.
Krunal Patel: A bit yes, because people tend to ask for a bit more information on what they are getting and above all they are getting more for their money, along with other protective advantages.
Tim Garratt: Yes.
Q. What factors will influence a small business to change its approach to security or the current solution it is using?
Paul Dadge: Better understanding and, regrettably, being subject to a security breach. Most small businesses operate a "lock the gate after the horse has bolted" policy. It is this mindset that needs to be changed. Security software needs to be viewed as an insurance policy more likely to be called on than motor vehicle insurance.
Graham Barrow: Usually after something has occurred.
Caroline Hodson: When they have an issue. The key thing to making a small business owner or manager take stock of where they are is either a breach or a near miss.
Other factors are: slowness of machines which affect their productivity; installation and maintenance issues (they simply do not have the time to deal with it); having to deal with too many different products when a single product will cover all their needs; and cost, although ongoing costs are increasingly becoming an issue.
Krunal Patel: Making them aware of the threats they are prone to and giving them case studies where prevention has proved to be better than cure.
Tim Garratt: Cost. Companies are cost-motivated nowadays, often opting for "free" personal security products for their company network.
Q. Do you think small businesses are seeing security as less of a priority with the credit crunch?
Caroline Hodson: Everything outside cash flow and survival becomes less of a priority. As an industry we need to make it simpler for them to manage their security, giving them the peace of mind so they can get on with running their business.
Paul Dadge: I'm not seeing this. However, the number of attacks and breaches is increasing.
Graham Barrow: Yes.
Krunal Patel: IT and the integrals of IT are one of those things everyone will have to have, regardless of the recession. People tend to find the most economical ways of doing things, but they are attentive when we talk about security.
Tim Garratt: Yes, customers will always opt for "free" products, for example AVG, even though the licences do not allow it.
Q. What are the decision-making criteria for small businesses?
Paul Dadge: The IT provider usually makes the decision in response to questions such as "I want anti-virus" or "How do I get rid of spam?" It is rare for a small business to come to us and tell us exactly what their requirements are.
Graham Barrow: Cost and then cost again.
Caroline Hodson: Covered above, but also:
- Am I happy with the security I have in place? Am I convinced it covers my needs?
- Is the solution flexible enough to meet my needs now and in the future? I do not want to be changing solution as my business changes (this will include working practices, for example, office versus home working).
- How can I simplify everything?
- Do I have an issue with security slowing my machines down?
- Do I find my solution easy to manage and maintain? If not, how can I improve this?
- If I have had any issues, am I happy with the support I have received?
- Can I reduce costs on security without reducing quality of solution? And what is the trade-off?
- Why do we need to do this?
- What if we do not do it?
- The cost involved?
- Is this the best product and is it sufficient for what we want to achieve?
Q. Typically small businesses do not have a dedicated IT resource. Do you think more needs to be done to help educate and train them about security threats?
Paul Dadge: Yes, maybe through roadshows or workshops.
Graham Barrow: More could be done, but it is getting them to spend the time.
Caroline Hodson: Yes, they need more education, but we also need to ensure that the advice and support they get from resellers recognises this need.
Do vendors give resellers the right education and support? We need to provide regular bulletins on what is happening in their world, and communicate that their information is as valuable as other, larger businesses, but that there are measures they can take to ensure security across their business.
Krunal Patel: No. For that they need to tie up the support specialist company which keeps their systems up to date and keeps the client informed at the high level. Because everyone specialises in their own field and sometimes a little knowledge can prove dangerous.
Tim Garratt: No, small business owners will feel they can make the right decision for their company.
Q. Do you think there are enough resources, information and places for small businesses to go for advice and guidance?
Paul Dadge: There are plenty of places to go for information, however they are so diluted, offering so much advice to small businesses, that it becomes overwhelming.
Graham Barrow: Yes, but try getting them to use it though!
Caroline Hodson: No. Most small businesses will look to organisations such as Business Link or the Federation for Small Businesses for advice. They go here for access to funds, grants and so on, and therefore they should be able to get top-level advice on security matters.
Krunal Patel: Yes.
Tim Garratt: Yes.
Q. Do you think vendors are doing enough to educate small businesses on the broader security topic and the issues facing them? Please give some examples of best practice.
Paul Dadge: Maybe the resellers firstly are guilty of not doing enough to educate their clients around security issues, by running training sessions for instance. However it is unlikely clients would pay for this insight.
I think running roadshows or workshops for small businesses is a good idea, showing what a virus can do to your PC, how it works and best practices for avoidance. This can be linked to e-mail myths, as we still see a large proportion of spam generated internally through forwarded junk e‑mail.
Caroline Hodson: I agree. We can definitely do more. Trend Micro is now working with the Federation for Small Businesses to get that education and awareness across, but we need to accept responsibility for educating these businesses as well as demonstrating the value of the specific solution we offer to the market.
Krunal Patel: Yes. For example, Microsoft arranges webinars, seminars, e-mails, and so on. Symantec is doing webinars, seminars, conferences, e‑mails, calls from account manager to the resellers and so on.
Tim Garratt: Yes.
Q. Defining a small business as 1-100 users, do you feel that these break into different segments (1-10; 11-25; 26-50; 50-100). If so, what are the different pain points they face and how do these differ?
Paul Dadge: As Microsoft has now recognised, a business of 75 or more employees is likely to have a dedicated IT person. The issue we see with this is that they sometimes stagnate in their role and do not participate in training or upskill.
Smaller businesses hurt more with downtime than larger businesses as response times to fix these issues tend to be longer, and there is a perception that everything needs to be done yesterday. Very few customers have a disaster recovery strategy should they lose data or suffer a security breach.
Caroline Hodson: An organisation of 1-10 represents few people, often remote working, with little or no expertise or experience of security, so they rely totally on the reseller. With 11-50, the company probably has a server environment, depending on the type of business.
A business with 50-100 employees is likely to have an internal IT resource, which is expected to know everything about all aspects of IT, but is unlikely to have security expertise. They still need significant support from resellers, although they will want to be more technically involved in the solution.
Krunal Patel: With 50-100 people, their needs have to be managed, and proactive, remote and onsite IT services need be provided for everything. With 26-50 people, they need managed IT services and remote but proactive IT services. Firms of 1-25 people need managed IT solutions, remote and on-site reactive services.
Tim Garratt: Not really.
- F-Secure Anti-Virus 2008 offers SMEs security
This was first published in January 2009