Published: 10 Jan 2009
YOU'D HAVE A TOUGH TIME finding the small or medium-sized business that doesn't rely on technology to help it both thrive in good times, and better weather the bad times. And with technologies such as Web 2.0, cloud computing and virtualization emerging, there's an evolution under way that could enable SMBs to compete- to get more done with less, raise productivity, and protect or increase profits.
"Maintaining an up-to-date IT platform is essential for the competitive success of almost every business, and it can serve as an equalizer for small and medium-sized businesses as IT increasingly fuels everything from back-office operations to customer sales and service," says Chaim Lowenstein, CIO at solutions provider Web Commerce LLC.
Jim Peterson, technology coordinator at Goodnight Memorial Library in Franklin, Ky., agrees, and adds that forging relationships with other senior managers and executives can be key to raising security's profile within the company. "Most small businesses have budget constraints. While the case for security is easy to make, many small-business managers will balk at the price of appliances, servers, software and services," Peterson says.
Fortunately, there are signs that this type of attitude is starting to change.
A CDW Small Business Driver's Seat Report published in April found data security to be the most pressing interest of SMB executives-coming in as a higher priority than wireless technologies, business intelligence, and even e-commerce and marketing.
The survey also found that 47 percent plan to have a formal business continuity/disaster recovery (BC/DR) plan in place within three years. And of those without a dedicated IT worker, 33 percent will create that position in the next three years.
THE RELATIONSHIP EDGE
That data is welcome news for anyone charged with securing SMB systems.Most SMB managers say getting the ear of management is the key to increasing the security budget, and that starts with forging solid relationships with business unit leaders.
"Relationships with other business units are very important. Those units, if not part of the entire security plan, can undermine any efforts that get put into place. Security is a company effort, and managing the different aspects of security requires that all business units participate and support the security plan," says Tom Schill, VP of operations at mobile search firm Medio Systems.
Having all aspects of a business carry their weight (or at least not fighting security expenditures) is ideal. But it's not always easy getting there. Most security managers at smaller firms say they try to tackle major security projects one at a time. This may involve first securing the network perimeter, getting BC/DR plans in place, then maybe focusing on Web applications, rather than trying to do too much, too fast.
"I work with each department to build working relationships surrounding the core of security, and communicate how the security measures are woven into the work efforts of each department. I avoid plans that make security a new project, or that involve more time from departmental personnel," says Schill.
Thus, if a new network segment is going to be built, try to weave the security of that network into the early phases of the budget. The same applies with new wireless networks, Web applications and other initiatives. Most SMB security managers agree that they have a better chance of success that way, rather than trying to get funding after the project already is fully planned and in deployment.
Yet properly managing and securing those applications and their underlying infrastructure isn't easy for the typical SMB. SMBs must operate with tighter budget constraints and fewer staff than their big enterprise competitors. This makes it all the more important for security officers in these businesses to work with managers across the organization.
When it comes to securing their systems, smaller businesses probably won't have a single manager dedicated to shoring up networks and applications, while it's common for big business to have dedicated CISOs, as well as teams of network and application security specialists. Unfortunately, SMBs often are focused on delivering their products and services, or believe they're too small to be targeted by criminals.
"Many SMBs focus on product delivery and have little interest in putting security controls in place. In some instances, they believe they're too small to be affected by a security problem," says Schill.
In fact, less than one-third of the CDW survey respondents have completed formal BC/DR plans, and only 29 percent employ at least one full-time IT professional. Skimping on relatively small expenses for proper IT management, BC/DR and information security is a risky way to run any business. But smaller businesses in particular cannot afford a single breach or a disaster such as a fire or flood that wipes out the physical offices and data. For the unprepared, any of these events can strike a devastating blow.
SECURITY MEANS BUSINESS
A new twist on the attitudes toward data security is starting to emerge. Consumers, business customers and partners increasingly care about how well their data is being protected by those with whom they're doing business. In March 2007, a survey by Javelin Strategy & Research revealed a correlation between a consumer's perceptions of a retailer's reputation for protecting credit card information and their willingness to shop with that retailer. A staggering 78 percent of respondents said they'd be unlikely to shop at a retailer following a breach of customers' data.
Despite the risks, many small businesses still are hesitant to invest much into their IT security efforts.
"Security concerns are the same for them as they are in larger companies. But putting in the proper security controls, software and processes is difficult if you're working at a business that won't provide the budget," says Schill.
While it's questionable whether regulatory compliance, for the sake of compliance, actually does much to improve security, there's no doubt that laws such as HIPAA are starting to have an impact on how SMBs must approach security. This is true whether the SMB is regulated directly or not.
And while all companies that process credit card data need to comply with the Payment Card Industry Data Security Standard, many SMBs either outsource the process or don't accept credit card payments at all. However, many SMBs are increasingly finding that their large business partners and customers are asking for verification that proper security controls and BC/DR plans are in place.
Meanwhile, Schill advises that SMB security managers be careful not to push tight security for security's sake: "You have to be personal with [management]. Ask them their needs and feel out their opinions. The more you seem interested in protecting their interests, the more likely they are to help you with yours."