SMB Security - The smaller the business - the bigger the security.
With small and medium businesses accounting for 44% of all global IT spend in 2012 (Gartner: Agenda for Small and Midsize Business Go-to-Market Strategy, 2012), equal to $900 billion and estimated to surpass $1 trillion in 2014, everybody wants a piece of the SMB market and security vendors are no different. The prevailing logic is that small businesses need almost the same level of protection as larger Enterprises, but made simpler, since they probably don’t have the dedicated IT staff - let alone security specialists – to manage it. This has resulted in most vendors offering stripped down versions of their Enterprise portfolios with fewer options and less horsepower.
But is this really what SBs need?
A recent survey of over 500 NETASQ UTM customers from around the world, found that over 80% of those companies with less than 100 employees reported the advanced IPS functionality of their firewalls to be essential to their security requirements. This is compared to 83% of companies with 101 to 499 employees and 85% of those with over 500. In fact, for each UTM functionality examined in the survey (IPSec and SSL VPN, Antivirus, Antispam, URL filtering, QoS and dynamic routing), given the options of “not used”, “used but not essential”, “essential” and “don’t know”, the most popular answer among small businesses was “essential”. Furthermore, for URL filtering, and QoS, the proportion of companies reporting usage (essential or not) was higher among small and medium sized businesses than for large. Of course, part of this last result will be due to the fact that large enterprises are more likely to use additional solutions for this functionality rather than relying solely on a multifunction UTM appliance. However, it does not change the fact that small businesses appear to require at least the same level of protection as their larger counterparts, if not more.
Surely Large Enterprises have more complex security requirements?
It is certainly true that larger enterprises tend to have larger, more complex networks, and so from the point of view of managing the correspondingly larger array of security solutions protecting those networks, there is obviously more complexity. But do the security solutions themselves need to be more complex?
Let’s first consider the threats to which different sized companies are exposed. Since most threats today are web-based, all companies connected to the Internet (in other words, all companies) will have the same exposure, regardless of size. However, that is not to say that the risks are necessarily the same. Although the current BYOD trend exists across all sizes of company, there is still far more standardization of both devices and applications within large Enterprise than in small. According to the latest report from Spiceworks: State of SMB IT 2H 2011, “A full third of SMBs surveyed indicated they have deployed one or more tablets on their network, and more than half of SMBs are planning to use tablets in 2012”. The same report also reveals a doubling of both cloud and virtualisation services with 61% using virtualisation and 48% already using cloud services by the second half of last year.
The net result of all this is that the security policies employed by small businesses often need to be more flexible and adaptive than those of larger Enterprise.
The effect of reduced budget, expertise and resources
Clearly SMB budgets are going to be smaller and this has an impact both on capital expenditure as well as the level of human resource which can be dedicated to IT security. So what is the effect of this on IT Security requirements? We’ve already established that SMBs are exposed to the same threats as enterprises, but due to lower levels of standardization, potentially show a larger attack surface and therefore face greater risk. If we now consider the reduced expertise and budget with which to mitigate that risk, a greater burden for protecting the company’s assets must now fall upon the chosen security solution.
With around 95% of firewall intrusions, regardless of company size, due to configuration errors (Gartner ID:G00208704), it seems strange that most products on the market still require mastery of roughly the same archaic command syntax found in the first generation of solutions from 10 to 15 years ago. Consequently simplification of the initial setup and configuration of such devices, for example using wizards and everyday language through an intuitive, web-based interface, should be essential selection criteria, not just for SMBs, but for everybody.
Similarly, our survey finding that advanced Intrusion prevention, which can interpret the increasing diversity of cloud and web-based applications (Application IPS), is considered “essential” by almost as many SMBs as Enterprises, should not come as a surprise.