PETALING JAYA--While small and midsize businesses (SMBs) are now more aware about the need for IT security, they need to also realize that having only basic tools in place is no longer sufficient to battle cyber threats, note industry watchers.
Daphne Chung, senior research manager for IDC Asia Pacific, said the number of SMBs, with employees fewer than 500, that use security software grew about 4 percent in 2009 from 2008.
Chung added that as SMBs continue to mature in their adoption of the use of IT, their security needs are also evolving beyond merely blocking spam or preventing virus attacks.
"As attacks become more complex as well as more malicious, SMBs are also finding that they need to seek a broader, more holistic approach to security to ensure their information is safe and secure," she told ZDNet Asia in an e-mail interview.
According to IDC figures, the fastest growing product category was security and vulnerability management, which included software tools that create, monitor and enforce security policies, as well as determine the configuration, structure and attributes for a given device.
SMBs favor suite-based, end-to-end security solutions that provide a good scope of security capabilities at a lower cost, Chung said, noting that because these suites are often easier to deploy and manage, they are suitable for smaller enterprises that have less in-house expertise.
Basic safeguards no longer sufficient
Jim Dowling, Asia director of sales at IT security vendor, Sophos, SMBs typically do not have the luxury of a dedicated IT team so security is not given the full attention it deserves.
In an e-mail interview, Dowling said: "Many SMBs use 'checkbox' security, such as ensuring only that antivirus and firewalls are installed. These methods are not enough to safeguard against today's fast-evolving threat landscape."
Noting that malware threats and the security landscape have evolved dramatically over the past five years, he explained that simply deploying antimalware tools and firewalls is no longer enough to protect the dissolving network perimeter.
He added that SMBs are more exposed to the "consumerization" of IT and are usually more willing to explore social networking and Web 2.0 tools to achieve cost savings and efficiency. This is largely also why IT security risks have a relatively stronger impact on SMBs, compared to larger enterprises.
Dowling believes the use of instant messaging and popular social networking sites such as Facebook and LinkedIn at the workplace, has also contributed to concerns over data flow as it increases the risk of inadvertent leakage of corporate information, he said.
"Organizations [therefore] not only require an integrated approach to cross-platform security, full-disk encryption and network access control, they also want to do it easily without upsetting the existing security infrastructure and incurring additional costs," he said.
These industry comments come on the back of a recent survey by Symantec which noted that Malaysian SMBs were placing data protection on a higher IT priority compared to 15 months ago, when a high percentage had failed to enact even the most basic safeguards.
Nigel Tan, Symantec's South Asia principal consultant, noted that 78 percent of SMBs in Malaysia ranked data loss as their top business risk, while 55 percent pointed to cyber attacks.
"The top IT improvement areas for 2010 for SMBs in Malaysia were to enhance security (74 percent), enhance backup and recovery (72 percent) and improve computing performance (69 percent)," Tan said at a media briefing here last month.
Culled from its 2010 Global SMB Information Protection Survey conducted in May, Symantec polled 2,152 SMB executives and IT decision makers in 28 countries globally including Malaysia and Singapore.
Tan added that 9 percent of Malaysian SMBs said they expect to see significant change in their data protection in the next 12 months and to increase spending on such tools by an average 18 percent in 2011.
Dealing with security
In order to improve awareness of IT security, Tan suggested that SMBs in Malaysia develop holistic Internet security guidelines and educate employees in four key areas. "These areas comprise Internet safety, security and the latest threats, how to safeguard important business information and how to implement effective backup and recovery processes," he said.
Sophos' Dowling said IT security within an organization and that of its systems, users and data, must be treated holistically as a single goal. To achieve this goal, he suggested engaging a single provider that can cover all security requirements in a simple and unified manner.
IDC's Chung added: "A multifaceted approach is required here: awareness makes up one part of this, policy and ensuring compliance to policies is another," she said adding that these should fused together with the right types of technology.
Edwin Yapp is a freelance IT writer based in Malaysia.