Quocirca's Straight Talking: Security for SMBs

Smaller companies aren't Luddites. But they could do a better job of safeguarding their data and IT assets. Quocirca's Bob Tarzey explains what steps SMBs should take.

Small and mid-sized businesses (SMBs) are as reliant on IT as large enterprises. Their ability to function would be seriously compromised by a major IT failure. Why then are they failing to protect their IT infrastructure and the valuable data and information stored within?

A recent Quocirca report shows that in SMBs of all sizes, PC penetration rates are high and less than three per cent are not connected to the internet. Ninety per cent of mid-sized businesses (50 to 300 employees) have servers and internal networks and this only falls to 70 per cent for small businesses (fewer than 50 employees). Forty per cent of mid-sized businesses are using advanced network-based storage options.

Before I go on, you'll notice I'm using the term 'SMB' as opposed to the also popular 'SME' (small and mid-sized enterprises) which silicon.com normally uses. This is because when we asked our survey respondents what terms they felt applied to themselves, less than five per cent considered 'enterprise' to be relevant.

SMBs are certainly not Luddites. But for many of them their IT infrastructure is at risk. Generally speaking this is not due to blatant bad practice. Most SMBs do the basic stuff like backing up their servers and firewalling their main internet connection. It is the tricky stuff they are failing to do which is leaving them exposed.

They might be backing up their servers but over half have not checked their ability to recover from back-ups in the last year. They might have firewalls but over half have also not reviewed the security of it for over 12 months. And it gets worse.

The most common point of failure within SMBs is employees' personal computers. Be they desktop or notebook devices, they are a huge area of risk. Less than 50 per cent of respondents were certain they had a back-up routine for PCs and if they did, for the majority it was only carried out once a week or less. Around half were not even sure if they had basic PC security such as antivirus software installed.

Few had automated patch management software, leaving server and PCs alike exposed to the viruses and worms. Microsoft software is pervasive on SMB desktops and widely used on servers along with Unix, Linux and other operating systems such as IBM's OS400.

If we take a closer look at the deployment of software, we start to understand some of the problems SMBs face in protecting their systems. Windows might be the most widely used server operating system but most are using old versions of it. There are more SMBs using Unix, for instance, than the latest version of Windows Server 2003.

The same will be true of the desktop. Few will be using Windows XP and many of those that are will not have got around to installing the latest security features available in Service Pack 2.

For many this use of old software is neither something they can or want to change - 'if it ain't broke don't fix it' is their motto. Many are reluctant to make changes to working systems just because a vendor wants them to. This can be disruptive and expensive.

It is not just the cost of the software upgrades themselves. Upgrading PCs to Windows XP often requires additional memory to be installed on systems or new hardware all together. This does not mean all SMBs are cash-strapped, just that if their IT systems work they have better things to spend their money on.

But cost and inconvenience are only part of the story. The biggest barrier to cross, in order to get SMBs to better protect their IT and data assets, is lack of resources. One in three mid-sized businesses and 90 per cent of small businesses do not have an IT manager. Even when they do it is often only a part-time job.

So is there anything SMBs can do prevent system failure and the consequent disruption to their businesses? Sure. There are some basic steps that do not require infrastructure change, do not require software upgrades and once these steps have been taken relatively little maintenance is needed.

Basic security software can be installed on all PCs and set to update itself; this will help prevent operational failure of PCs. But hardware malfunctions will still occur on occasions and, of course, computer equipment is often the target of thieves, especially when it is being carried around. So, PCs need to be backed up on far more regular basis than is currently the case.

Again this is not hard. PC back-up routines can be scheduled to run at quiet times and even from remote locations over the internet. Good back-up software will only look for changes so this need not mean moving huge volumes of data. PC back-ups can be aggregated on a central server or networked storage device if a dedicated server is not available. The regular back-ups of central storage that most SMBs already do will then include all data stored on PCs as well.

These are fairly easy actions to take - and the problems that can arise from ignoring these issues are likely to cause significant disruption and expense for any business whatever its size.

You can read about other steps SMBs could be taking to secure IT infrastructure in the Quocirca report, Protecting the IT and Data Assets of Small and Medium Sized Companies, which is free to silicon.com readers at Quocirca's website.