“Many SMBs believe that their company is not at risk. They are wrong”, says Peter Wirnsperger, Senior Manager in the Security Services Group of auditors Deloitte & Touche. “Viruses do not differentiate between a multinational company and a small firm”, he continues. A system failure of only a few hours “can have devastating consequences for a small or midsize business”, warns Wirnsperger. The statistics show that he is right. The German industry association BITKOM forecasts “more than 700 million security incidents worldwide as a result of new computer viruses, hacker attacks or other threats” for 2003. The resultant economic and financial damage amounts to more than a billion Euros. Malicious programs such as viruses and worms multiply almost without restriction. The current Internet Risk Impact Summary (IRIS) report from the US security specialist Internet Security Systems (ISS) registered an average of nine new viruses and worms per day for the third quarter of 2003 alone.
IT security – the gap between desire and reality
Despite these recognizable economic risks, the recently published study by Deloitte & Touche shows that the IT and security management of German SMBs is clearly “unsatisfactory”. 66 percent of the SMBs surveyed admitted to having a “noticeable failure of their IT systems” in the previous 12 months. Market researchers from IDC produced similar results in 2002 in a Europe-wide survey. The report found that SMBs do not regard IT security as an integral part of their business model. Moreover, small and midsize businesses do not have sufficient security concepts in place which deal with implementing and carrying out security measures. The META Group too is skeptical about whether small and midsize businesses are investing enough in IT security, since the IT security budgets of SMBs with a workforce of between 200 and 499 tend to be “low and currently stagnant”. A survey by business consultants Pricewaterhouse Coopers (PwC) of around 400 US companies (with sales of between USD 5 and 150 million) also discovered that, while 66 percent stated that IT security was a key element in their future business development, “this statement was barely reflected in their budgets”, notes PwC security expert Mark Lobel with some bafflement. PwC suspects that the reason for this lies in the separation of business and security budgets. Deloitte & Touche security expert Peter Wirnsperger has also found that too often in SMBs “there is debate about whether to implement structured IT security measures at all instead of talking about how to do it.”
There have however been a number of voices to the contrary. In the USA alone, SMBs spent USD 1.4 million on IT security measures in 2002 and IT security is one of the top ten IT trends for SMBs according to figures from Access Markets International (AMI) Partners, a US consulting firm which specializes in small and midsize businesses. According to the Yankee Group, the majority of SMBs intend to spend more money on security products and services within the next 12 months. Only 11 percent intended to cut back in this area. AMI’s consultants believe that this increased security awareness is primarily a response to the terrorist attacks of September 11, 2003.
A high level of awareness, but a small budget
However, AMI was disappointed to find that “around 2.2 million small companies have still not put in place any IT security measures.” Is this a contradiction? Not necessarily because the increased security awareness does not automatically result in an increase in the budget for corresponding measures, according to the results of a worldwide study by Ernst & Young. While 90 percent of those surveyed put the subject right at the top of their agenda, 55 percent had to admit that existing security loopholes were largely a result of too small a budget or a lack of interest on the part of management. In the view of Marcus Rubenschuh, an IT security expert at Ernst & Young, “the corporate goals and security strategies of companies are often not compatible.”
This seems to confirm the suspicion that IT security is regarded more as a necessary evil” than a primary goal in business strategy, says Peter Wirnsperger. “It can come as no surprise”, writes KES, a journal which specializes in the subject of security, with a large degree of displeasure, “that around a third of German companies with a workforce of between 100 and 500 spent less than Euro 10,000 on information security (wages, hardware, software and other costs) in their 2002 budget. Peter Wirnsperger has no doubt that the high number and long duration of system failures are a direct consequence of the often dramatically low budgets for IT security measures and the lack of awareness of the problem among small and midsize businesses. The average duration of a system failure is about 12 hours.
However, Wirnsperger assumes “that the actual number of system failures is significantly higher.” Deloitte & Touche have discovered that the most frequent system failure among SMBs related to e-mail (42 percent). As many as 25 percent indicated that mission-critical applications such as ERP systems had been impaired by system failures. On the basis of these results, Peter Wirnsperger gives the following advice: “The fact that corporate systems experience failures with such frequency should be a clear warning of the need to invest more in IT infrastructure management.” According to findings by the BSI (German Federal Department for Security in Information Technology), “the majority of security incidents are caused by insiders.” This is not always intentional and significant damage can often occur simply as a result of a lack of awareness of problems. This is a sign that, in small businesses in particular, too little is still being done at staff level to protect IT systems.
As structures improve, failures decline
E-commerce and e-business, which are based on networked and open infrastructures, have further increased the security requirements of SMBs. Businesses which communicate with customers, partners, suppliers and contractors and exchange data via the Internet must be able to guarantee the confidentiality, integrity and availability of their IT systems. This means that small and midsize businesses also have to make IT security a key element of a comprehensive security concept which encompasses legal, organizational and, not least, personnel-related aspects.
According to the advice of the BSI, SMBs should introduce written security policies and check that they are being adhered to. Access rights should be issued on a restricted basis and administrators and IT security managers should be given ongoing training so that they are always up-to-date with the latest trends and have the means to promote security awareness in the business in general. Businesses should also be certified to prove that they meet defined security standards. It is possible, for example, to be certified to Common Criteria (ISO/IEC 15408), ITIL ( = IT Infrastructure Library), BS 7799-2 (from the British Standard Institute) or in accordance with the IT Baseline Protection Manual of the BSI. The National Institute of Standards and Technology (NIST) and the United States Small Business Administration (SBA) in the USA offer programs on IT security in SMBs similar to those provided by the BSI.
However, software suppliers too have a responsibility to SMBs in terms of IT security. For example, SAP has published a multi-volume security guide for SAP R/3. The Walldorf-based group is also working together with partners such as Secude GmbH to protect business management and personal data in local and global SAP networks with their SAP-certified security solutions. With Mcert, SAP is also supporting an online portal which offers specialist IT security services for SMBs since mid-December 2003.
The measures put in place by various parties are slowly beginning to bite. For example, Deloitte & Touche found that the companies surveyed intended to introduce security programs within the next six months. Right at the top of the agenda were organizational improvements in terms of infrastructure, application environment and security management. According to PwC expert Mark Lobel, SMBs should also invest more in preparatory measures. He cites the example of changing the windshield wipers on your car. It is always best to replace them when the sun is shining so that you are ready for the next time it rains. “However“, and here Peter Wirnsperger becomes a little pensive, “technology is too often regarded as an end in itself and a universal remedy.” While it is necessary to invest in basic technology such as antivirus software and firewalls, it is also important that IT security is fully integrated into corporate processes. Security can only function effectively if staff implement it in their day-to-day work. “And this is especially important for SMBs”, he adds.
General: www.bsi.de, http://csrc.nist.gov/securebiz/, www.cert.org, www.sba.gov
www.ami-usa.com, www.barometersurveys.com (= PwC trend barometer), www.ey.com, www.metagroup.com, www.idc.com, www.yankeegroup.com, https://gtoc.iss.net (= IRIS report)
SAP AG: www.sap.com