Last week, I had the opportunity to join Dell’s 1-5-10 security panel discussion. This was the first in a series of small group events hosted by Dell to consider security trends and implications over the next one, five and ten years. Session attendees included Dell security experts, customers, partners, press and analysts. We discussed what small and medium businesses (SMBs) should be thinking about as they prepare for the future, and what vendors need to do to help them more easily secure their businesses.
Verna Grace Chao, director, Dell global security solutions, kicked off the session by asking us for our favorite security terms. The sheer magnitude of cyber-security issues and risks quickly bubbled up as people reeled off terms such as honeypot, snort, worms, hijack, Trojan, trampoline, phishing and ransomwear and more. I couldn’t help but think how difficult it is for business decision-makers to understand what all these terms mean, let alone stay ahead of threats and safeguard corporate information.
Of course, this challenge is even more daunting for small and medium businesses (SMBs) that lack internal expertise in this area. SMB Group research indicates that on average, only 19% of businesses with less than 100 employees have full-time, dedicated IT staff, and 27% have “no IT support” at all. Meanwhile, although 86% of medium businesses have dedicated IT staff, these resources are likely to be IT generalists, not security experts. As Michael Gray, Director, Thrive Networks, an IT solutions provider owned by Staples said, “there aren’t chief security officers in SMB.” So, despite mounting security risks and their increased reliance on the Internet and technology to run their businesses, many SMBs are under-prepared to deal with today’s threats, let alone those that the Internet of things (IoT) will usher in tomorrow.
Security Steps To Take Today
For many SMBs, the first step is to become more security aware. The Internet, mobile, cloud, social and other technologies provide many great business benefits. But they also open the door to more vulnerabilities. Too often, digital convenience trumps security, and SMBs choose not to see themselves as potential cyber-targets. Even worse, ITIC survey data shows 35% of firms don’t know if or when BYOD mobile devices have been hacked! Obviously, if you don’t know you have a problem, you can’t fix it.
According to ITIC, hacking is the #1 type of breach, representing more than 25% of all breaches recorded in 2013. Sub-contractor (14%), mobile (13%), insider malfeasance (12%) and employee error (9%) followed. In all, these breached exposed a whopping 91,978,932 records.
Without strong security measures in place, many SMBs are easy targets for hackers. And, because SMBs are often digitally connected to larger business partners, they are increasingly attractive targets. Hackers can potentially not only gain entrée to the SMB’s data, but also gain access to data of the SMB’s bigger partners.
Panelists agreed that if you haven’t yet done so, now is the time to conduct a security audit to determine what potential vulnerabilities pose the biggest financial and brand threats to the business. A solid plan incorporates both measures to prevent breaches from occurring in the first place, and those to detect, prevent and respond to incidents when they do occur.
Business owners and stakeholders need to take a more active role in this process, as Brett Hansen, executive director, Dell Client Solutions Software, explained. The security discussion needs to move from being a tech-only discussion to one where business stakeholders help identify, quantify and prioritize critical business vulnerabilities.
Since SMBs often lack the internal resources required to plan and implement the right level of security, they are increasingly turning to managed service providers (MSPs) for security expertise. A good MSP can help you get a better handle on what vulnerabilities could trigger disruptions, what the impact would be on the business, and develop a risk management plan that aligns with your business requirements and budgets. MSPs can help make security a solvable challenge instead of mind-boggling, unsolvable one. While you can’t eliminate every risk, you can close off the biggest vulnerabilities for your business—and gain peace of mind. Some of the basic measures to take include data encryption; data containerization for BYOD devices (meaning that personal and corporate data are securely separated); and securing the perimeter from unauthorized access.
Trends such as wearables, smart homes and smart cars are exciting and offer many benefits to businesses. But, they will also unleash new security vulnerabilities, especially as more devices and information become interconnected. Jon Ramsey, Dell fellow and CTO, Dell SecureWorks, commented that as cyber and physical domains continue to merge, the risk equation also changes substantially, and will require an expansion of single sign-on to help safeguard all aspects of our digital lives. Participants agreed that these trends will require a shift in the security mindset. Some of the changes forecast include that security solutions will:
- Move beyond protecting data where it resides, to protecting data dynamically, wherever it goes.
- Proactively account for the “human factor.” As security issues increase and become more diverse and complex, they need to become more contextual to make it easier for us humans to do the right thing. Biometrics, from eyeball to touch to even genome identification were mentioned as possibilities in this area. As Patrick Sweeney, executive director, Dell SonicWALL mentioned, security solutions should act more like more like an airbag than a seatbelt.
- Become more adaptive, with capabilities to generate new defenses proactively as new threats emerge. According to Ramsey, “Every threat starts out as an unknown threat, we need to expose it and make it known to defend against it.” Risk analysis risk analysis engines will need to look further beyond individual events to act more proactively to accomplish this.
The good news is that in the future, security solutions are likely to be more adaptive, less dependent on humans to make them work, and more capable of proactively eliminating threats. However, far too many SMBs are falling short even when it comes to many security basics—such as encryption, containerization and perimeter security—leaving them far too susceptible to negative business consequences.
Cyber-security threats may seem endless, insurmountable and even unlikely to many SMB decision-makers. But this session underscored that while we can never eliminate all possible breaches, SMBs should be seeking out the solutions and expertise they need now to get the basics in place for today and to help them prepare for tomorrow.