Security

Infrastructure yes, policy no

Viruses and spam continue to haunt small businesses, but most of them do not have a full-fledged security policy in place even though they do have a proper security infrastructure, says Abhinav Singh

Computer viruses continue to haunt small businesses, and are a major security risk and a cause of concern for them. Of 180 respondents, 86 percent say that viruses are the biggest threat they face. Spam is the second biggest risk as 48 percent of the respondents are affected by it. Spam hits the services and education segments the most. Says Rameshwar Naik, chief manager, EDP, Breach Candy Hospital, Mumbai, “Although we have anti-virus solutions in place, there is always the fear of the unknown virus as one does not know when it can strike. There are new types of viruses [being created] which can strike the network despite having best AV solutions in place.”

The view is shared by M Balasubramanian, Senior Manager, ICT, Saipem India Project Services. “Once an unknown virus hits you it becomes a very laborious task to deal with the destruction it causes. Although we have AV solutions in place, there are always multiple sources through which a virus can enter our network and cause havoc.”

Another interesting opinion on virus threats as a major concern for small businesses was given by Rajesh Kannan, System Co-ordinator, Richmond Hotel, Bangalore. “The majority of small businesses are using pirated software which makes them vulnerable to a virus attack. Because small businesses do not update their systems with the latest patches, it makes them more vulnerable. On the other hand, licenced software comes with a price which many small businesses cannot afford.”

Spam is another area of concern. As Naik notes, “Spam attachments are sometimes very heavy, so it is difficult to identify if they are carrying a virus payload.” Many small companies feel that spam also affects the productivity of their employees. Comments Balasubramanian: “One tends to waste a lot of time deleting spam, and then accidentally many attachments are opened which pose a serious threat to the network in case they are carrying a virus payload.”

"Small companies that do not have a policy to curb spam will eventually see their profitability and productivity being affected" - Niraj Kaushik Country Manager Trend Micro, India & SAARC

Many vendors like Trend Micro also feel that spam is a serious threat for small businesses. Warns Niraj Kaushik, the company’s Country Manager for India and SAARC, “Small companies that do not have a policy to curb spam will eventually see their profitability and productivity being affected. The problem is compounded by the fact that some small companies still use old mail servers that allow themselves to be used as relays. That is, they allow spammers to relay mails without the sender’s IP address being stamped in the headers. Spam can also be a host for viruses or spyware. A rising percentage of spam carries malicious software in it.”

Threats from viruses and spam will continue to haunt small businesses as they begin accessing new devices. Unmesh Deshmukh, Country Sales Manager, Enterprise Security, Symantec India adds a note of caution. “Along with the increasing reliance on the Internet and e-mail, today’s small businesses are embracing wireless mobility, instant messaging, and business-to-business applications. Every new technology or device presents a new entry into the infrastructure, and could also be taken advantage of by an attacker.”

No security policy

More than half the respondents—about 61 percent—do not have a security policy in place. Those companies that do have a security policy are largely in the BFSI and the chemical segments. Small companies have small networks, which can be managed efficiently by the internal IT teams of these organisations. As Kannan of Richmond Hotel puts it, “We have just 25-30 systems, and do not need to define a definite security policy to manage them. In fact, going in for a full-fledged security and audit policy will require us to go in for extra expenditure which a small organisation like ours does not require.” There is also the perception that going in for a full-fledged security policy and taking the help of consultants to frame the policy would be entail extra expenditure. Balasubramanian gives the logic: “In case we involve an external consultant to define a security policy for us, they will ask us to also have a disaster recovery and business continuity plan in place, for which we are not yet prepared.”

According to Rajendra Dhavale, Consulting Director, CA India and SAARC, “Security policies are the vertebrae that secure an organisation. From a small organisation’s perspective, lack of awareness of the need to have a security policy could be a possible reason why they do not have one in place.”

CEOs makes the decisions

The CEO calls the shots on the security policy because the IT team in small businesses is small in size—sometimes only a one-man-show in the form of a systems manager or a systems engineer—so the power to frame a security policy rests with the CEO. Kaushik agrees. “Small business structures are not evolved enough to have a CIO in place, hence it is the CEO who formulates the security policy in most of these organisations.” But for some small entities, the formulation of a security policy is a must, as in the case of Breach Candy Hospital in Mumbai which believes in a security policy because it has vital patient records that need to be maintained.

What is being secured?

Within the security policy, the prime concern is securing data; among the 71 respondents who had a security policy, 93 percent felt that they need to secure their data. Concern about unauthorised employee access came second. For most, a review of the security policy took place every six months.

"An employee might use a virus-infected USB drive, connect it to the office network, and spread a virus" - Ranajoy Punja Vice-President, Marketing Cisco Systems, India & SAARC

Many small businesses are now also part of a larger supply chain cycle, and transact with other dealers and large manufacturers. Ranajoy Punja, Vice-president, Marketing, Cisco Systems, India and SAARC says, “There are many companies in the small business segment which are serving multiple customers. Securing data for them is of utmost importance to survive in the business.” Data security holds relatively greater importance for these companies than for larger companies. Punja adds, “Many attacks can be internal and unintentional. For instance, an employee might use a virus-infected USB drive, connect it to the office network, and spread a virus to the office network.”

Dhavale makes the point that “in today’s organisational environment, all the information about various aspects of business is on IT systems. There are three aspects to this information—confidentiality, integrity and availability. Data availability is usually managed using back-up software and business continuity planning. However, when it comes to the confidentiality and integrity aspects of data, small organisations lack the technical expertise and awareness of various products that would enable them to achieve data security.”

Tools to tackle security issues

Most respondents have an anti-virus (AV) solution, which is seen across verticals, but manufacturing, FMCG, healthcare and the services sector will be spending more on such solutions. A majority of them have deployed a firewall, of which FMCG and services will be further investing in firewalls in the near future.

It has been noted that every industry vertical invests in a solution based on its needs and/or future plans. The FMCG, healthcare and services sector will be required to ensure that IT systems are available all the time with the least possible data unavailability due to viruses and worms. There could also be regulations, as in the case of the healthcare industry; organisations, including small firms, which cater to overseas clients, may have to comply with HIPAA.

Similarly, manufacturing and FMCG would have distributed retail and dealer networks for which they would have to enable access to internal applications. This could be achieved over a WAN; however, in order to reduce the investment, VPN may be used to provide access to dealers and retailers.

Certain solutions like intrusion detection systems (IDS) and access control devices (ACDs) would still be common irrespective of the industry segment. Here’s what Balasubramanian has to say about it: “We are planning for an IDS because we want to know what is happening in our network. It will help us prevent unwanted intrusions as we would be alerted in case of some unusual activity in the network. IDS will be vital for us as we work on sensitive pull projects where the integrity and security of our network is of utmost importance.”

It has been observed that even small businesses need to keep updating their security infrastructure to get new business and fight phishing, spyware and increasingly sophisticated virus attacks. Since blended threats require a more robust defence layer, the trend of using multi-layered AV protection will continue to drive small business market growth. But AV solutions have to be complemented with IDS, firewall protection, and policy management. A spate of virus attacks has prompted the need to offer proactive solutions other than just signature-based ones to effectively deal with unknown threats.

Observes Punja, “Small businesses are still in the early stages of their security infrastructure, which means that they have AV and anti-spam solutions. Once they realise that their basic infrastructure is in place, they will start going in for high-end IT security solutions and complement their existing security systems.”

ACD adoption low

With regard to ACDs, out of the 180 companies surveyed only 7 percent had one in place. The incidence of ACDs was high in the services segment (healthcare, logistics, hospitality) because of the critical data and the sensitive areas they want to keep under wraps from intruders. Overall, though the penetration of security devices is very low among small enterprises, the penetration of AV products is relatively higher than other devices such as anti-spam, firewall and IDS.

The priorities of small businesses are changing these days. They are more technology-savvy and are adopting IT security with greater confidence. The survey states that small businesses have a sizeable form of security infrastructure in place, which can be confirmed by the fact that a majority of them have anti-virus, anti-spam and firewall solutions. Many of them have plans to further invest in a security solution, and some verticals (like services) are also contemplating the use of ACDs.

Small businesses that already have a security policy in place have data security and unauthorised employee access as the major areas to be covered by the security policy formulation. This just shows the signs of maturity exuded by some of the small businesses while dealing with their security infrastructure.

It is possible that the momentum of investment by small businesses to enhance their security infrastructure will continue in the coming year too. This is good news for vendors who are busy designing their strategies to target the small business.