SME security: Sizable differences


Whether you are a mom-and-pop shop or a global corporation, protecting data is a concern, reports Angela Moscaritolo.

In today's world, it doesn't matter if you're a Fortune 50 company or a mom-and-pop shop. If you're connected to the internet, the risks and vulnerabilities you face are the same.

“The customers in the middle market swim in the same internet cesspool as their enterprise counterparts,” says Darrell Rodenbaugh (left), senior vice president of the global midmarket at McAfee.

Those tasked with securing a company's network — whether at an SME (small-to-medium enterprise) or a global corporation — have the same goals: to meet compliance, to prevent confidential information from leaving the company, to prevent unwanted intruders from entering, and to protect against an ever increasing number of new strains of malware. But, SMEs as well as larger entities, have unique challenges in meeting these goals. While larger enterprises often are hindered by their sheer size – with more access points to close, large numbers of users to keep track of, and various branches located in different states and countries to worry about – SMEs often are hampered by a lack of resources, fewer qualified security personnel, less money to buy necessary products, and more difficulties complying with regulations that often were written without companies of their size in mind.

Allan Kintigh, software engineer at Minnesota-based payment card processor National Bank Card Services, a company with fewer than 30 employees, knows all too well the importance of cybersecurity and its associated challenges for a small company. He says that the recently publicized breach of New Jersey-based card processor Heartland Payment Systems hit close to home because if National Bank Card Services were to suffer a similar public incident, it would probably never be able to recover.

“Jobs are on the line as far as security is concerned,” Kintigh (right) says. “Actually the entire company is on the line.”

Experts say there are a few areas that both SMEs and large corporations must cover to be protected. Businesses of all sizes should have firewalls, intrusion detection, anti-virus and a good patching strategy, says Gene Fredriksen, global information security officer at Tyco International, a group of manufacturing and services companies with about 100,000 employees across the globe.

In addition, all businesses require endpoint protection and messaging security, says Blake McConnell, senior director of small and medium business security at Symantec.

And, another thing to add to the list is encryption – critical to corporate security no matter the size of the company, according to Randy Abrams (left), director of technical education for anti-virus vendor ESET.

These basic security components typically are the same from organization to organization, large or small. But, what differs between an average SME and large enterprise, adds Fredriksen, is the scale and complexity of support for the overall IT environment and the security tools safeguarding it.

Coordination challenges

Some large enterprises use common IT security controls globally. For example, a large financial organization's IT security practitioners often will mandate that the company's branches conform to the same rules. But other large enterprises are made up of hundreds of smaller companies, each with their own IT security function.

Tyco International is an example of the latter. It is comprised of a set of businesses active in health care, flow control, security, telecommunications and electronics. These operate in every state and 60 countries around the world. Each of Tyco's business units has its own technology organization and its own security group. Essentially, it's a large enterprise made up of multiple SMEs, Fredriksen says.

The biggest problem in such an environment is collaboration and communication, he says. “The challenge is: How do we work in concert while allowing business units to do the best job and support them the right way?”

Another additional issue many IT practitioners face, especially in today's economy, is finding efficiencies where possible. CIOs at large enterprises are keen to understand how they can reduce costs associated with and streamline the operations of their corporate infrastructures, says Kevin LeBlanc, group product marketing manager at McAfee.

One thing that helps Fredriksen address these various challenges at Tyco is frequent communication. All security officers from the various business units comprising the company meet regularly by phone or in-person to share updates and discuss projects that currently are underway, he says. “We find that those discussions are incredibly helpful to us,” he explains

Of course, they often find during these talks that some common issues thread their way across their various business units, such as the need for virus protection. This allows for standardization across the enterprise and, ultimately, a cost-savings for the company. As Fredriksen seeks out technologies to address problems facing all the business units, he's able to negotiate attractive pricing with vendors to address his company's overall security needs.

Wearing multiple hats
Large enterprises typically staff specialists in various roles within the IT security department, including network, data and endpoint security, audit, and compliance, LeBlanc says. But, in comparison, a typical medium-sized business with 50 to 1,000 users has an average of 1.8 IT professionals on staff, according to recent McAfee research. In addition, only eight percent of companies within this market segment typically have a security specialist on staff.

For SMEs, lack of a dedicated security expert is a significant challenge, as well. Fortunately for Kintigh, National Bank Card Services has a larger IT staff than most other SMEs. It is made up of seven people – three of whom, including Kintigh, are in charge of security. A small IT staff nonetheless, the National Bank Card Services crew must wear multiple hats. Kintigh says half of his time is spent on security initiatives and the other half is spent developing software for customers and maintaining the system infrastructure.

Issues with too few security pros become apparent when trying to comply with Payment Card Industry (PCI) guidelines, Kintigh says. “PCI compliance is just hard to maintain because the PCI rules were written for a large company where they have various layers of management,” Kintigh says.

For instance, PCI rules mandate that developers submit code to the test team, which then hands it off to the product manager who puts it into the system. But, at National Bank Card Services the same person performs all of these steps.

Conversely, Matt Roedell, vice president of infrastructure and information security at Tru Mark Financial Credit Union, a Pennsylvania-based company with 265 employees, thinks that meeting compliance requirements and securing the organization would be harder if his company were larger.

“Larger companies get bigger budgets and increased head count, but less support at the executive level, so it is nearly impossible to secure an organization if it was not built with security from the inception,” Roedell says.

Higher stakes

One of the things that SMEs are beginning to think about is outsourcing the security functions of the business to managed security service providers (MSSPs), says Adam Hils (left), a principal research analyst at Gartner who focuses on security.

For SMEs, outsourcing security is a better choice now than it was two years ago. Hils says this is because there are more service options available than before, and they're correctly priced.

“MSSP companies have built services from the ground up for SMEs,” he adds.

Tyco's Fredriksen agrees that outsourcing might be a good option for SMEs, but says it comes down to the value proposition offered. Having started his career in the SME space, Fredriksen's experience has shown him that small businesses always must determine how to get the best bang for the buck, which may or may not necessitate an MSSP contract. When companies do decide to outsource some activities to an MSSP after thoroughly evaluating their needs, it's often to focus on more critical security functions, says Fredriksen. Larger organizations, given the size of their IT staffs, often can avoid these choices. However, from a threat perspective, the stakes usually are greater for them compared to SMEs. According to Symantec's McConnell, data loss prevention, for example, is a huge issue for large companies. Yes, SMEs have data loss concerns, but the reputational and legal risks are much more considerable for the big enterprises.

In addition, with far more employees, the threat of insider attack is also greater for large enterprises, ESET's Abrams adds.

Smaller companies, on the other hand, have less head count. Typically, this means they can do a better job of securing their networks from insider attacks, adds Tru Mark's Roedell. But, while the insider risks might be greater for large enterprises, third parties might pose a greater challenge for SMEs. Large enterprises frequently are investing in network access control (NAC) solutions, which allow them to scan a computer to ensure that out-of-policy endpoints do not access the company's network. But, SMEs are not likely to invest in these technologies because they still are relatively new, says Gartner's Hils.

Also, SMEs may have open-use policies, while large corporations typically have sophisticated access control systems in place. Because SMEs might not have the resources to implement a tightly controlled security strategy, this could open them up to a greater risk of becoming infected by malware on the web, says Jason Leung (right), senior product line manager for SME security at networking solution vendor Netgear.

A threat for all

According to ESET's Abrams, user education is being neglected in both large and small organizations. Specifically, he says, employees need to be educated about how to identify and counter social engineering attacks.

Threats such as phishing emails might have a more severe impact on SMEs, says Netgear's Leung. While enterprises generally have more sophisticated technology and more end-user education to avoid these attacks, SMEs often are remiss here.

Implementation of end-user awareness programs in companies of all sizes remains the most pressing impediment to strengthening security programs, says Abrams. “The biggest challenge is overcoming the hurdle of backward thinking that employees don't need education.”


Satisfaction: What can your ISP do?

In addition to having greater outsourcing options available, Gene Fredriksen, global information security officer at Tyco International, says he is noticing a change among the industry that benefits SMEs: Internet service providers (ISPs) seem to be increasingly partnering with security vendors to offer SMEs standard security products needed to protect their environment. It's a natural evolution and ISPs are likely seeing that if they offer security services on top of network connectivity, customer satisfaction grows, Fredriksen says.

Mark Grosso (left), manager of small business value-added services for Verizon, says that the company partnered with a security vendor three to four years back to create a “security suite” tailored for SMEs that incorporates firewall, spam protection and AV software.  

“Internally, there is a strong recognition that if you're going to provide the network, you should provide the resources to secure the network,” Grosso says. – AM

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.