They may not have as many employees, generate the same size revenues or have the million-plus customer base of the large enterprises, but when it comes to Internet security, small and medium-sized businesses (SMEs) face exactly the same risks as larger organizations when they incorporate e-business and e-commerce into their traditional business models.
Companies taking advantage of Internet technology are using the Internet extensively for accounting, collaboration applications, homepages, intranets, online ordering, and payment and web-enabled customer relationship management (CRM). According to a report by IDC on SMEs IT spend in Western Europe, these companies are experiencing increases in revenues of nearly 75 percent on average, and a halving of costs as a direct result of e-business strategies.
As the Internet expands and becomes more widespread and established, an increasing number of SMEs will be willing to harness the latest technologies, driving heavy IT investment. Another report by IDC stated that over $5 trillion (£3.5 trillion) will be spent on the development of e-business strategies by companies worldwide over the next four years. By giving customers, partners and suppliers access to live corporate data over the Internet, these organizations are opening themselves up to the myriad of security risks associated with e-business such as online fraud, breaches of confidentiality and data theft. Yet many of these organizations are lacking a formal information security strategy. A recent Gartner survey on e-security asked more than 500 SMEs in 12 countries across the Asia Pacific region to outline their plans for e-businesses. Of those organizations surveyed, 60 percent said that they planned to implement online ordering, product or service payment or direct sales via their web site; only 34 percent of those surveyed had a formal information security strategy.
All small and medium-sized organizations must be aware that as soon as they provide access to their important corporate data over the Internet, they need to protect themselves and the people they are dealing with in exactly the same way as large organizations do. As a small business trying to gain a foothold on the market, the last thing you need is a loss of credibility, or for one of your competitors to get hold of your customer list simply because you didn't put security on the top of your list when taking your business online.
All organizations - big and small - must look to e-security as the foundation of e-business, not something to be tacked onto the end of the process, almost as an afterthought. When I talk about e-security, I mean more than just technology. We consider robust, sustainable e-security to be 30 percent technology and 70 percent policy and procedure. This is where many organizations, especially the smaller ones, come unstuck - they think that they have secured their Internet communications and transactions simply by purchasing and implementing security software. Wrong.
Some SMEs also think that to go online at all is more trouble than it is worth. These companies will lose out to competitors who will be taking advantage of doing business online. These organizations need to be educated about the fact that by implementing a robust security solution as well as enforcing a comprehensive email and web policy, smaller companies will be able to open up their sales and communications channels. By not implementing secure e-business and e-commerce systems or by not going online at all, you risk losing a lot of business to your competitors that do.
Cost is another inhibitor holding back SMEs from implementing stringent e-security measures from the outset. But surely your confidential corporate data and your market reputation are worth protecting? E-security technology is affordable for many SMEs, but what many organizations forget is that while technology helps them enforce their security policies, proper e-security also needs monitoring, attention and follow up.
A recent report from analyst group Datamonitor suggests that as companies, small and large, realize the importance of e-security and the complexities of implementing and managing it effectively, they will turn to security vendors to manage their security for them.
The main benefit of using these managed security services is that the systems and networks can be monitored remotely. On-site teams are not necessary. Instead, managed security service providers will work from an e-security center with a team of experts monitoring customer networks. As well as providing basic services such as hosting and filtering a company's email, the security team is able to respond to alerts immediately and can ensure that the network is monitored effectively on a 24x7 basis.
Managed security services will enable SMEs to benefit from outsourcing their security. This is because managed security services let companies choose the level of service that they need or want. Managed security services let small and medium-sized companies exploit the economies of scale that are apparent in this business model. The global application service provider (ASP) market is forecast by Gartner to exceed US$25 billion by 2004, and information security companies have this year been scrambling to claim their piece of the pie. Research by IDC suggested that SME spending will grow fastest in the sector. Many SMEs are moving their IP networks to high-bandwidth architectures capable of handling a range of applications, such as e-commerce and wireless, with security an essential addition. The managed service approach will enable more customized security strategies to suit each organizations needs.
Take the any recent virus outbreak as an example of how a managed security service could help protect an organization. As I mentioned earlier, effective e-security is 30 percent technology and 70 percent policy and procedure. So what happens when a company has the right technology that is not backed up by sound policy and procedure management? Exactly what would happen to a small business that has the best content security management software available but no procedures in place to use the technology to its full advantage? A virus, which can propagate and spread to the company's customers, could easily infect such a company. Not great for the company's corporate reputation or customer relationships. However, if the company in question used a managed security service, its security policy would be updated as soon as a virus is detected and no loss of productivity or corporate reputation would transpire.
So while the more dynamic SMEs understand many of the benefits of conducting business online, they may still fall short of ensuring that they have established a comprehensive security policy and that business is conducted within a secure and trusted environment. In the current economic environment, clouded perceptions of security being too expensive and complex need to be readdressed if organizations are to ensure that they harness the opportunities that the Internet presents and not lose out to competitors.
Ralph Shaw is senior vice president, authentication group, Baltimore Technologies (www.baltimore.com).