S'pore SMBs looking beyond antivirus

SINGAPORE--Small and medium-sized businesses in Singapore are looking beyond antivirus and considering other technologies to secure their computer systems and data, a new survey reveals.

According to AMI-Partners' latest market report, SMBs in Singapore are projected to spend US$46 million on IT security this year, up 20 percent from 2005.

Although network firewall and virtual private network (VPN) technologies will account for almost 25 percent of the projected IT security spending, more businesses are looking at intrusion detection, too, the study revealed.

Jasmine Vincent, AMI-Partners' director for Singapore, attributed the increase in IT spending to a greater awareness for better protection. "Ninety-six percent of Singapore SMBs have access to the Internet, and they are highly exposed to security attacks from using e-mail, instant messaging, Web casting, online procurement and VoIP (voice over Internet Protocol) calls," she said.

"These SMBs have traditionally pushed aside critical issues like data and network security, but are now increasingly aware that they need to have strong security measures in place," she added.

The survey also revealed that only 12 percent of small businesses, defined by AMI-Partners as having between 1 and 99 employees, have full-time employees dedicated to technology management. Over a fourth of small businesses have no dedicated staff looking after IT.

Several security vendors ZDNet Asia spoke to agreed that limited resources and budgets are two reasons often cited by their prospects and customers for not getting higher levels of security protection.

Andy Sim, director of Cisco Systems' commercial business for Singapore and Brunei, noted: "It is quite a strange phenomenon, but many SMBs, and even some mid-market companies, do not put a high priority on security. At best, they will have a firewall and an antivirus; at worse, they use freeware.

"Maybe they assume that hackers won't pay attention to them because they are small, but a virus or a distributed denial of service (DDoS) attack will not be able to distinguish between big and small companies," Sim told ZDNet Asia.

A DoS attack is not a virus but a method hackers use to flood a network with so many phony requests that traffic is slowed or disrupted, preventing legitimate users access to a computer.

Edward Lim, general manager for Symantec Singapore, agreed most SMBs do not have the luxury to invest heavily in IT infrastructure, and explained that few businesses are proactive toward IT and security issues.

Lim said: "They typically outsource their IT functions to external services providers and adopt a reactive approach, which means that they only react when they experience an IT issue.

"Small businesses tend to purchase point solutions such as Norton Antivirus 2006 as it is simple to install, and cost is usually a critical factor in the purchase decision," he added.

According to Robin Seow, HP Singapore's general manager for the Personal Systems Group and SMBs, when it comes to IT purchases, small-business owners are the IT decision makers. "As such, many of them have purchasing habits similar to that of a consumer, which is largely retail-based and fueled by the need to 'see' the solutions before buying," he noted.

According to AMI-Partners' Vincent, the projected increase in IT security spend spells opportunities for SMBs to work with the vendors that can share their expertise and provide value-added advisory services.

To help SMBs better understand their IT and security requirements, Seow said HP has opened a new "HP experience center" catering to SMBs and serves small-business owners that do not have a dedicated IT manager, and which buying habits are more retail-based.

Symantec's Lim recommends that SMBs look at "a multi-layered security policy to remove risk at the earliest point of entry, as well as protect from threats that originate from the internal network".

"Recent reports indicate that phishing will continue to be a problem, especially for small businesses. It is therefore important to have an anti-phishing solution in place to prevent the business from falling victim to an online fraudster in the future," he added.

Beyond antivirus
Lim Ai Ling, McAfee's regional marketing manager, also agreed that SMBs should look at purchasing security products that reduce the business exposure to e-mail threats like phishing scams, where Internet fraudsters attempt to steal personal information.

"Today, antivirus alone can no longer address the security issues.

But whatever they decide, SMBs must be able to install and manage the technology easily. "With limited manpower to manage the IT infrastructure, it will mean added tasks for the SMBs' IT personnel to manage a suite of different security solutions. Therefore, simple-to-manage must be a criterion they look at when purchasing security solutions," McAfee's Lim noted.

These SMB security trends are similar in other parts of Asia.

"There really isn't much of a difference in the basic resource--financial or manpower--crunch issues that SMBs face, be it in Singapore, Hong Kong or Malaysia," said Symantec's Lim.

"What's important is that SMBs educate their employees, and make sure their employees understand the significance of being up-to-date with ICT developments that will help protect them from system vulnerabilities," he added.

According to HP's Seow, small businesses tend to be confused over the difference between security and data protection. "These are two different areas that need to work hand-in-hand, not separately," he noted.

"Today's businesses face many external threats, and security needs to be there from the beginning to protect a business and not be an 'add-on' after the fact," he explained. "There is no silver bullet to security and instead, SMBs should be looking to use 'layers of security' to secure and protect their data, applications, operating system, network and hardware as a whole."