The question of whether or not small to midsized businesses (SMBs) need to worry about security is one with no quick and easy answer. While they may not make for big targets like larger organizations, cybercriminals know that SMBs’ defenses are likely to be relatively minimal. An attack may have much more disastrous effect on an SMB.
The Computing Technology Industry Association’s (CompTIA) recently released fifth-annual Convergent Technologies Research study, subtitled “Discovering Trends and Opportunities in the U.S. and Canada SMB Markets,” sheds light on this subject. According to the study, more than 75 percent of both U.S. and Canadian SMBs have not had any major network attack or security breach in the last 12 months, but those that suffered a security attack experienced a significant to moderate impact on downtime because of delays. Typically, these attacks happen every month or bimonthly in the United States and three to six times a year in Canada.
“SMBs that are vulnerable to attacks face significant security risks,” said John Venator, CompTIA president and chief executive officer. “The impact of such attacks is considered significant or catastrophic. These businesses may not have sufficient resources to understand or implement best practices. That’s the role that the technology solution provider can fill, both through the use of new technology and in educating the customer on actions that can be taken to protect their businesses.”
Electronic communications research firm MessageLabs is taking action on that front, going so far as to launch a Small Business Security Clinic earlier this year. Its first initiative was a contest to win a free “security makeover.”
Through a questionnaire on its Web site, the research firm found six of the most IT security-challenged small businesses in the United States and United Kingdom. These companies will receive MessageLabs’ e-mail and Web security services free for one year.
The point of the contest was to raise awareness among small businesses of the security issues they face and how these differ from large companies’. According to MessageLabs, small to midsized businesses receive more than double the volume of spam per user each month than what’s received by large enterprises.
“We’re trying to make [small businesses] aware of and understand threats to their businesses, what those are and how they could potentially manifest themselves and really focus on the key risks and eliminate them as much as possible,” said Paul Wood, MessageLabs senior analyst. “Small businesses tend to try and take the problem in hand themselves and end up with a mixture of different solutions that don’t necessarily integrate very well, and they become difficult to manage and maintain going forward. It also puts a particular dependence on IT staff within the organization, so that when they leave, you’re left with a difficult problem in replacing them.”
Spammers don’t discriminate in the size of the organization they target. In many cases, they programmatically create spam, targeting a particular domain name and generating e-mail addresses by using a combination of, for example, first names and last names.
Spammers can generate hundreds of thousands of messages sent to a particular domain. Almost all of them fail because the randomly generated e-mail addresses don’t exist, but the mail server has to process all these connections, missed or otherwise.
“Even if you have anti-spam software in place, it doesn’t help you in that situation because you’re still being deluged with a huge volume of these messages,” Wood said. “From a small-business perspective, that number of connections being processed by the mail server can result in a catastrophic failure. Even if it doesn’t cause problems on that scale, at some point, the IT people will be looking at improving the scalability of their servers and wonder why this server doesn’t cope with the small amount of mail they receive. They’ll be looking at things like bandwidth or memory or disk capacity without really understanding what’s causing the problem in the first place.”
Further, smaller organizations often don’t perceive themselves to be at a higher level of risk than larger organizations, which in many cases, have been forced by information security regulations to assess and manage their level of risk.
A smaller organization sometimes indirectly arrives at such risk assessment when it supplies a larger organization, which enforces its level of risk management on the smaller company.
“In a large organization, you tend to find that it has more resources dedicated to an in-depth approach to filtering out e-mails,” said Wood, who added that managing problems such as spam and unwanted e-mail can become a full-time job. “You have to be on top of the latest trends and threats and be able to update your mail server very rapidly. That’s not realistic for a small company. It’s difficult for a large company to try and coordinate that, and they have more resources focused on that.”