IT security still a big challenge for Indian SMBs

Lack of skills and awareness, as well as the rising use of handheld devices in the workplace pose a plethora of security threats for small businesses in India.
Written by Swati Prasad, Contributor

India's small and midsize businesses (SMBs) lack complete understanding of the IT security landscape and tend to be reactive, rather than proactive, which can turn out more costly to manage.

According to Kishan Bhatt, engagement manager at Zinnov, some common assaults faced by SMBs in India are virus attacks, trojans, phishing, pharming, and man-in-the-middle and man-in-the-browser attacks. He noted that while larger organizations take robust measures to safeguard themselves against such attacks, in the case of smaller organizations, these processes are not well defined.

A recent Zinnov report revealed India is home to around 50 million SMBs, of which 10 million are technology-ready.

Most SMBs would have some form of security application installed in their systems. However, Bhatt said over half would be running pirated copies of these software, bought at a fraction of the cost from the grey market.

"IT security is a major challenge for SMBs," Sandeep Gupta, managing director for Protiviti Consulting, said in a phone interview. "IT security is something that percolates down. If the promoter is sensitive towards this issue, then the SMB will take more proactive steps towards IT security."

One major challenge they face is the lack of complete understanding of the IT security landscape. Most Indian SMBs are not aware of the need to for robust IT security, and this has a lot to do with the lack of regulations pertaining to IT security.

Only two sectors in India--BFSI (banking, financial services and insurance) and telecommunications--are subject to government regulations, noted Damanjit S. Uberoi, South Asia chief solutions architect and evangelist for enterprise security at Hewlett-Packard.

In the wake of ever-increasing budgetary pressures, IT security will continue to take a backseat unless regulatory steps are taken to heighten the need for organizations to take various security measures, Uberoi added.

"While there is decent understanding around virus attacks and Trojans since these have been around for a long time, there is a lack of awareness around recent forms of malware such as phishing, pharming, man-in-the-middle and man-in-the-browser [attacks]," Bhatt said.

Security also is often viewed as a luxury, or a "nice-to-have" feature, when it should be recognized as a necessity that needs to be factored early in the game.

Small also make good targets
According to Jagdish Mahapatra, McAfee's India and SAARC managing director, SMBs underestimate the value of their data.

"They tend to have this notion that due to the small nature of their operations, they will not be a target for cyberattacks," he said. In reality, though, their data and intellectual property not only are vulnerable to theft, an unsecured database also attracts attention from the hacker community. This puts their sensitive intellectual property in danger, Mahapatra cautioned.

Moreover, SMBs assume security tools are expensive to acquire.

"With mobile phones and tablets coming in the play, many SMBs assume these devices are secure and allow [them] access to servers. To combat any threats, it is important SMBs deploy a complete end-point protection suite so none of their valuable data will be stolen," he said.

Skills are an issue, too. Uberoi said: "Specialists are too expensive for most SMBs to afford." Noting that these companies tend to be reactive rather than proactive toward IT security, he added: "And in most cases, reactive measures are a lot more expensive."

To address SMBs' need for cost-effective products, security vendors provide hardware and software offerings including firewalls and routers targeted at this customer segment.

Mahesh Gupta, vice president for borderless network at Cisco Systems India and SAARC, said the company introduced several products that combine high-speed network connectivity with integrated VPN, firewall, e-mail, and Web security capabilities designed for SMBs. It also has routers that offer Internet access, security, and wireless services on a single, secured device.

With the increasing popularity of handheld devices and work practices such as BYOD(bring your own device), and the need to provide more secure access to data center resources, Cisco launched its Identity Services Engine (ISE). Gupta said it aims to help SMBs manage compliance, enhance infrastructure security, and streamline service operations.

Similarly, McAfee also offers several cloud-based security products for SMBs, and HP's Fortify suite of products is designed to prevent security vulnerabilities in applications and delivered via a SaaS (software-as-a-service) model.

Get proactive, not reactive
SMBs face a unique situation in defending themselves against the rising tide of cyberthreats.

Mahapatra noted: "They can't afford high-priced IT and security talent on site. They can't afford [to suffer] a breach that threatens their very existence, and they know the space they occupy is going to attract more attention from the hacker community."

Additionally, the proliferation of mobile devices is adding to the challenge of keeping their environment secured with limited IT resources.

According to Gupta, SMBs need to adopt a calculated approach to data security.

"They need to classify what can and can't be in public domain, and devise a strategy for cloud and virtualization," the Cisco executive said.

According to Bhatt, Indian SMBs should inculcate good security practices such as not sharing confidential information over unsecured networks, being wary of suspicious e-mail and Web sites, and understanding the basics of IT security.

"They need to look at security in a similar way as they look at insurance products," he said.

Uberoi underscored the importance of a proactive, rather than reactive, approach to IT security.

"SMBs need to align their IT security efforts strongly with the organization's risk management objectives, understand the threat landscape and prioritize, to protect what matters the most to their business," he said.

Small businesses also need to constantly update the security software. "Keeping the business continuously up-to-date requires total protection against known and unknown threats," Mahapatra said.

"SMBs need to adopt a holistic security solution comprising of elements of antispyware, antimalware, firewall, host-based intrusion prevention antimalware, spyware, encryption, and data loss prevention. Such an approach takes care of complex and sophisticated threats with convenience and ease," he added.

Swati Prasad is a freelance IT writer based in India.

Editorial standards