SME networks dangerously exposed

SMEs are inclined to downplay or ignore network security threats, but they are actually exposed to the same level of threat as large companies. Hennie Moolman, Managing Director of network security expert, AfricaSD, exposes the illusions SMEs frequently hide behind and examines what they need to be doing to secure their futures.

SMEs tend to embrace IT because of its ability to 'level the playing field' and help them compete with larger competitors. Smaller organisations also tend to rely on the cost efficiencies available through transacting and marketing online even more than their bigger cousins. There are dangers associated with these competitive advantages, however, that many SMEs either downplay or ignore.

In reality, SMEs have to strike a tricky balance as they seek to take advantage of the global reach and considerable efficiencies of the Internet and conduct increasing amounts of business online. They have to open themselves and their networks up to achieve this, but need to make sure they remain secure while doing so.

The SMEs that downplay the risks usually believe that a firewall and anti-virus is enough to secure their infrastructure and sensitive customer data, but the latest research on cyber-crime suggests that IT security for SMEs is more than just preventing viruses and blocking spam.

Those that ignore the risks habitually argue that they are so small they are not worth targeting and that hackers focus on larger organisations. This is simply not true. As any IT security expert will confirm, it is not a question of turnover, assets or numbers of staff, but a company's reliance on IT that determines its potential exposure.

In actual fact, SMEs are typically exposed to the same level of threat as larger organisations, and can be hit especially hard when they experience a loss - either of productivity or sensitive client data - because they don't have the personnel or resources to tackle the issue adequately.

SMEs face the same wide variety of potential security threats as every other organisation, but, as mentioned previously, the main difference is the absence of personnel dedicated to tacking these threats. As a result, SME networks tend to be less regulated, allowing employees to surf irresponsibly and their machines to become infected or letting them steal confidential data with ease and with little chance of the theft being traced.

Another common vulnerability is the use of unsecured networks, particularly if employees take their laptops or smartphones home with them. A large amount of the SME data compromised every year is lost when such devices connect to an unsecured external network.

Moreover, the lack of dedicated personnel often means that SMEs struggle to ensure security is maintained at appropriate levels. The latest application updates and system patches might not be installed and even factory default logins and other settings might not be changed, leaving the organisation open to the many automated, opportunist malicious programs roaming the Internet.

The first step, of course, is to stop downplaying or ignoring these threats and to acknowledge them. This means ensuring appropriate security policies and disaster recovery plans are in place. The second step is to determine how exposed the organisation is by conducting a vulnerability assessment.

An appropriate, enforced policy is the foundation of an organisation's network security. It needs to clarify what constitutes acceptable activity on company devices and across the company network. It also needs to specify the correct procedures that apply to different situations. As well as being visibly backed by senior management, the policy must also be accepted and understood by all members of staff. A practical way of doing this is to require staff to confirm they have reviewed the policy by signing to that effect. Lastly, a policy is only as effective as its enforcement, so aim to automate this as much as possible and make sure contraventions are visibly penalised.

The most effective way of determining your organisation's exposure is to ask a network security vendor or consultant to perform a vulnerability assessment. There are several ways of doing this - ranging from basic vulnerability scans to more complex penetration tests - and the security consultant will be able to advise which is best suited to your organisation's specific needs.

Any assessment needs to accurately establish what systems are at risk and to what extent. It needs to include everything from the network itself (routers, gateway etc) to all servers, workstations and client data repositories within it. It is also important to remember that an assessment is not a once-off event, but needs to be performed regularly to ensure the organisation remains protected as it grows. So make sure the security consultant benchmarks the first set of metrics and then tests and reports against those at regular intervals.

SMEs need to learn from their bigger cousins and start accepting that network security is a cost of doing business. That, although every business is different, most of the threats businesses face are the same. Not only that, but that network security is a constantly moving target and the only way to secure their future is to cultivate the habit of assessing their vulnerability regularly.