Lacking a View of the Whole

Large, global corporate groups were the forerunners in e-business. Now, small and midsize companies have begun to handle their business processes using Internet and e-business technologies. Doing so helps them fulfill the requirements of wholesale customers (consider midsize vendors as a good example here) or use the Web as an additional sales channel. Midsize companies are also expanding their use of mobile computers (like notebooks or PDAs) and the number of home or virtual workstations along with wireless technology like WANs or Internet telephony. That means that small and midsize companies face the same threats as large corporations. The secure data records and digital speech data that used to reside in an internal, legacy environment is now leaving it.

IT security as a competitive factor

Like large companies, midsize companies must guarantee secure data and information exchange with partners and customers, protect their IT systems from unauthorized access, and guarantee high availability of their systems. “Midsize companies must keep up with developments in security technology,” says a study of IT security in midsize companies conducted by IDC analysts Carla Arend and Thomas Raschke. “A failure to implement appropriate measures impairs their attractiveness as a business partner.”
In the automobile industry, for example, it’s impossible for midsize vendors to operate competitively without IT. Because of their decreasing vertical integration, large automobile manufacturers require that their midsize partners link tightly with their internal purchasing and development departments, so deficiencies in IT security have a negative effect on competitiveness. A system outage of just a few hours has devastating results because this industry relies on just-in-time delivery and manufacture. Financial service providers have other security considerations. High availability is a concern, but the confidentiality of customer data is much more important.
Regardless of industry, midsize companies are subject to more legal requirements, guidelines, and rules for secure management of the companies when they appear on an international stage with e-business. And the more that midsize companies use modern information and e-business technologies, their higher their risk of suffering an attack. The economic damage of lost data, stolen data, or system outages in midsize companies is enormous. Based on a survey of more than 100 small and midsize companies, security software manufacturer Symantec estimates that each episode of system downtime or lost data caused by a virus attack means losses of US$2,300 to US$16,000. And because midsize companies make up more than 90 percent of almost all national economies and therefore dominate the economies, the damages can add up to billions.

The patchwork company

The place of IT security in midsize companies is high according to a cross-industry study of midsize companies in five European countries published by IDC in 2005. On average, more than 95 percent of those surveyed had installed security technology. But the high adoption rate should not disguise that many midsize companies have created only rudimentary security infrastructures – usually just antivirus solutions.
Laura Converso, a senior research analyst at IDC responsible for midsize companies sees no contradiction here. “Yes, IT security is one of the most important issues for midsize companies,” she says. “But most companies do not approach the issue proactively; they develop sustainable security measures only after a serious incident.” Their approach is usually unsystematic and unstructured. Converso likes to characterize midsize companies as “patchwork companies” when it comes to IT security. They take security measures on time, but lack a view of the whole.

Security Solutions in Use
Security Solutions in Use

Market researcher Forrester and a company called Security for Business (S4B) have reached similar estimates. According to Forrester, only a few midsize companies have introduced complex process, such as intrusion and detection prevention, authentication, virtual private network (VPN) tunnels, or vulnerability scans. S4B found that midsize companies deal with security questions systematically only in exceptional cases. According to that study, three-quarters of small companies have neither undertaken nor asked for a professional evaluation of their security situation.

Without competence . . .

Insufficient and unsystematic implementation of security measures by midsize companies has its reasons. Creating concrete cost-benefit analyses of security measures and projects requires a company to collect and evaluate detailed data on security attacks and penetrations. According to Martin Haas, consulting director at IDC in Frankfurt, Germany, a comprehensive security infrastructure – ideally one linked to the company’s strategic goals – is indispensable. Only qualified personnel can create the required technical preconditions, such as a multilevel security infrastructure. And for midsize companies, that’s a cost factor that cannot be underestimated.
Market researchers at Yankee Group have calculated that personnel costs make up 25 percent of IT security costs. The salaries of a security officer ranger from US$60,000 to US$100,000 annually; IT directors earn up to US$150,000 annually. Even a small IT department with three or four employees can quickly overwhelm the financial resources of a midsize company – which does not happen to large corporations. That’s why Yankee Group analyst Jim Slaby characterizes money spent to build up competence in IT security within small and midsize companies as a superfluous “luxury.” If they devote financial resources to security, midsize companies would not have the money they need for important core tasks – such as developing new and marketable products and services that improve competitiveness.
Midsize companies are not ready to make investments of this magnitude. According to the S4B study, a midsize company spends a maximum of US$1,000 for a security analysis. The analysts at Forrester have produced similar results. More than 40 percent of the companies surveyed by Forrester spend less that US$1,200 each year for external services related to IT security.

. . . initiatives blossom

Is Security Personnel Available?
Is Security Personnel Available?

“Many small and midsize firms don’t have an IT department that protects the firm’s network from external attack and that professionally manages the security solutions – if they exist,” says IDC analyst Converso in the same vein. And when they exist, IT departments are comparatively small. According to a joint survey undertaken by the Network Research Group at the University of Plymouth and San Diego State University of more than 102 European and American midsize companies, most IT administrators perform the tasks of IT security themselves. Only 2.5 percent of the firms that participated in the study in have 20 to 250 employees have their own security officers. In both cases, those who are responsible are rarely trained for potential threats.
Lacking or insufficient competence lowers the level of risk awareness. If threats are not even acknowledged, companies will not conduct the risk analyses needed to determine the potential damage, strengthen security weaknesses, and close security gaps. Even when companies with little expertise in IT security undertake projects, the number of initiatives blossoms.

Alternative outsourcing

That’s why the Yankee Group recommends that midsize companies seriously consider outsourcing IT security as managed services. According to the Yankee Group, midsize companies that outsource IT security can save 20 percent to 60 percent of in-house costs for personnel, IT tools, and updates. And the quality of IT security increases measurably because security service providers employ highly qualified security specialists. They follow trends and bring the experience from projects in other companies. Their knowledge is thus available equally to all their customers.
Martin Haas thinks that midsize companies will take advantage of managed services for at least part of their security solutions for yet another reason. “The higher the required level of security rises,” says the IDC analyst, “the more complex the solutions – and the requirements – become for midsize companies.”

Dr. Andreas Schaffry
Dr. Andreas Schaffry