Who’s protecting small and medium businesses?

July 12, 2016

It’s almost beyond belief, but the majority of information threats to small and medium companies come about because businesses are declining to protect themselves. The reasons are twofold: Small business owners tend to misjudge the actual danger of cyberattacks, and they also typically believe that they can’t afford an information security system. Both assessments are wrong.

At first glance, their judgments seem reasonable: Criminals aim at big financial clusters (a bank is an ideal target), and having your own information security department is costly. And a system administrator can use antivirus software to handle the occasional minor threat. But the statistics are undeniable: Over time more incidents occur, losses grow, and the SMB sector continues to draw more attention from hackers.

The small and medium business (SMB) designation can be vague. Laws determine what a “small” company is and what a “medium-size” company is, so the definitions are different depending on the country. However, in most cases, businesses of either size have enough funds in their bank accounts to attract cybercriminals.

Last year, eight out of ten small companies around the world experienced at least one information security incident, and 23% confirmed they were attacked every week. The average damage caused by one SMB incident amounted to $38,000. This estimation comprises the cost of hiring experts to address the consequences and wasted business opportunities as well as lost revenues and other direct losses from downtime. Half of the incidents cost companies $50,000 or more.

Attackers are interested in the personal data of customers, intellectual property, and — of course — money. In addition, more small companies become entry points into the production chain, and from there, cybercriminals can attack large corporations (which are better protected). In 2015, every sixth attack came via an external business partner or supplier.

msp_main2

There are 65 million small companies in the world, making up about one-third of global business. And 78% of those small businesses do not employ their own information security specialists. That does not mean they are not protected at all. However, in most cases, their chosen information security strategy is, to put it mildly, not optimal.

According to a survey by B2B International, two-thirds of SMBs use enterprise-class security solutions, which are both extremely expensive and hard to handle (the limited IT personnel of small companies is simply unable to implement them effectively in many cases). Another 12% of small and medium-size businesses, on the other hand, prefer free security products meant for end users. Only every fifth company of the SMB segment uses specialized solutions. But even in that group, far from every company should consider itself thoroughly protected.

A sophisticated information security system, even one designed for a small company, should have several levels of protection, and it should be easy to control. And it surely has to be inexpensive. The assistance of a managed service provider (MSP) looks like the best solution in this case.

But many MSPs do not offer IT security among their services. We believe MSPs are massively mistaken to neglect the IT security space. On the one hand, they overlook the benefits they would gain from a promising market segment. On the other hand, they force their customers to solve security issues on their own, and when those customers incur losses, that affects MSPs as well.

MSPs offer another advantage: They buy security solutions wholesale, and so for the customer the software often ends up cheaper. But an MSP should not be viewed simply as a security software set licenser. The service includes outside experts, which are necessary in the absence of in-house specialists (which is the case with most SMBs). And the services often cost less than it would to set up a security perimeter of one’s own.

Smart MSPs craft security software proposals for SMBs and offer security systems management services that eliminate the need for in-house information security specialists. Not every service provider is good for small companies, but the most successful MSPs are focused on this segment.

The logical question is, why don’t all MSPs offer IT security services? As we see it, the problem is that the specialized solutions needed have to meet several requirements to be effectively applied by MSPs. Our polls showed that providers are scarcely content with the information security solutions available at present — almost all of them have a few specific deficiencies arising from the products being focused on another market segment.

Demonstrations represent another hurdle. Providers have a tough time selling IT security solutions because it is difficult to show their work to a potential client. After all, if you must deploy a pilot project to demonstrate, most SMBs would refuse even to consider such a proposal.

Another complication: MSPs engaged in information security are forced to work with multiple vendors’ solutions developed for different tasks — antivirus protection, patch-management software, backup, mobile device management, and many others. It’s confusing for a specialist serving a number of medium-size customers and can affect efficiency. And yet, market solutions combining all of those tools in a single console are vanishingly rare.

We haven’t even mentioned mobile devices, which are now an important piece of the business puzzle. Generally, security solutions for mobile devices are a completely separate issue. You can’t deploy centralized antivirus on dozens or scores of mobile devices with an end-user antivirus solution, and the mighty enterprise-class solutions are too costly for small companies.

At Kaspersky Lab, we are aware of the shortage of tools specifically developed to meet the needs of MSPs. We constantly improve our security solutions, and Kaspersky Small Office Security will help to solve many problems. On the one hand, the program provides reliable protection for computers and servers, and on the other, it can be administered through a cloud interface.

However, MSPs know best what their real problems are. And we are always ready to listen to them and take their needs into account. If you work for an MSP company and have something to say on this subject, we would be very glad to hear from you. Write to msp@kaspersky.com to let us know what tools you are missing or the ones you use that fall short — or what problems you have that our products currently don’t solve.