update In the face of greater malware and cybercrime, all organizations--regardless of size or security budget--need to be on their toes to protect corporate and customer data.
Often faced with manpower and budget constraints, small and midsize businesses (SMBs) are perceived to be reactive rather than proactive in securing their data assets. The problem is compounded by the fact that cybercriminals are now targeting smaller businesses as well.
Tan Yuh Woei, Symantec's country manager for Singapore, pointed out in an e-mail interview that the threat of losing critical business information is a real risk for SMBs in the Asia-Pacific region. Citing the security vendor's 2010 SMB Information Protection Survey released last June, he said nearly three quarters of the region's SMBs indicated they had been hit by cyberattacks in the last 12 months. Of these, 58 percent said they actually lost confidential or proprietary information as a result of the incidents.
Said Tan: "All SMBs saw tangible losses last year, mainly from downtime, and theft of customer financial information, customer or employee personally identifiable information. The leading direct costs experienced as a result were the loss of productivity, revenue and reputation.
"In fact, the average annual cost of these cyberattacks [to businesses] was found to be US$152,266," he said.
While some economies in the region, such as Hong Kong, Malaysia, India and Singapore have introduced or announced data protection legislation, such regulations in many parts of Asia may not exist or be adequate. Nonetheless, SMBs should make data protection an integral part of their risk management and corporate governance strategy, said a consultant.
Victor Keong, partner at KPMG Advisory, told ZDNet Asia in an e-mail interview that the ability to meet existing data protection and retention laws is necessary especially for SMBs that are looking to expand regionally and globally.
According to him, SMBs looking to protect information assets first need to identify what sensitive data they need to protect. Following this, they should adapt compliance controls from industry best practices such as the Payment Card Industry Data Security Standard (PCI DSS) or tap standardized methodology developed by professional security services firms. The latter is available to SMBs at a "reasonable" cost, which is "minimal" compared to a data breach, he noted.
"SMBs are well poised to initiate efforts in data protection as it's easier to start small and build the foundation for good data protection," said Keong. "When the SMB business eventually grows to an enterprise scale, the challenge to identify where sensitive data are stored and how to secure such data, as well as resulting costs and efforts, grows exponentially."
In addition, businesses should not be fixated on achieving compliance, he warned. Citing a case last year, in which a Hong Kong e-payment services provider sold customer data, Keong noted that while the act has not been proven to contravene Hong Kong's Personal Data and Privacy Ordinance, the issue is not simply about compliance.
"Public perception of an appeared breach or lack of control has a greater impact and repercussion," he pointed out.
He added that one of the biggest challenges SMBs face is the loss of mobile devices. In the same survey, 63 percent of SMBs reported incidences of lost items such as a smartphone or laptop over the last 12 months. In addition, all companies surveyed admitted to deploying devices that had no password protection or that supported remote data wipe.
Gina Luk, research and consulting manager at Access Markets International Partners (AMI-Partners), attested to the vulnerability of SMBs in the current threat landscape. In an e-mail interview, she noted that "malware doesn't discriminate", attacking not only anything it can but also doing so swiftly.
"SMBs are often the most vulnerable and, at the same time, the least capable of withstanding an attack, either from outside threats or a malicious insider," Luk said. "The cost of a data intrusion or infection can cripple an SMB."
Looking to cloud, managed services
According to Jeffrey Kok, strategic solutions consultant at EMC-owned RSA, SMBs typically have smaller Internet presence and IT infrastructures. At the same time, they have "looser security policy enforcements" and, therefore, face greater challenges dealing with day-to-day security issues such as virus outbreaks, Trojan infections, security patching and server hardening.
Ultimately, SMBs are exposed to the same risks as large enterprises, Kok told ZDNet Asia in an e-mail. "The difference is the method of response toward risk and not lesser risk due to their size."
Having a smaller security team and budget does not mean the security posture of SMBs will, or should, lag behind that of their larger peers as there are viable technologies they can tap to strengthen their infrastructure and guard against threats, industry observers pointed out.
"Managed security services is often a good solution for transferring information security responsibility and operations, as it reduces their cost of [supporting] expert professionals and infrastructure [and] makes them compliant [with regulations] without compromising on information security," he explained.
For instance, SMBs that adopt Google's Gmail for Business will enjoy built-in security via Postini, SAS 70 Type II audit compliance and availability of 99.9 percent--all at an affordable price, said Kok. In contrast, they would have to fork out "a few thousand-fold [more] to achieve the same level of security and availability" to build and maintain their own infrastructure, he added.
Luk concurred, noting that data from AMI-Partners showed that spending on remotely-managed security by SMBs in Singapore currently registers at US$3.2 million and is expected to increase to US$3.84 million by year-end.
In addition, a report released by the research firm last week revealed that SMBs in Asia are looking to security services as one of their first cloud initiatives, she added.
"With the current economic environment looking positive in Asia, the region's SMBs are keen to invest in the latest technologies and look at cloud services for visible cost saving optimization," said Luk.
Kok added that open source or free security tools "vetted by a wide audience" are also options for SMBs to explore. One example, he said, is Truecrypt, which offers disk and folder encryption.