By Anurag Agrawal on Monday, 12 November 2018
Category: Security

Managing risk - protecting SMB business against operational threats

In the list of top 10 worldwide SMB business issues derived from Techaisle’s global survey of SMBs (1-999 employees), “managing uncertainty” ranks tenth, and the word “risk” doesn’t appear at all. This is likely more a reflection of how SMB executives would like the world to be, rather than a representation of everyday reality. The acronym FUD (fear, uncertainty and doubt) is familiar to most business managers, and not simply as a catch-phrase: SMBs walk a fine line between managing risk resulting from the actions that they take (for example, security or privacy exposure relating to new systems) and risk arising from actions that they have not yet taken (which has its own acronym – “FOMO, or “fear of missing out”).

Clearly, security technologies are a core component of corporate risk management strategies. Techaisle’s global research, however, has identified several other solutions, including VDI/DaaS, managed services and IoT, which help executives to understand and manage risk in their operations. By capitalizing on the attributes of the technologies that best fit an SMB organization, obe can define an approach that allows the business to address ‘downside’ issues and move ahead with ‘upside’ opportunities.

IT security

Risk management is best achieved by developing a portfolio that incorporates IT security. It’s also true that IT security relies on a portfolio approach: there are at least 10 major technology solutions that are in common use by SMBs today.

For example, Techaisle’s US research shows that the top two solutions, anti-spam/email security and anti-virus/anti-malware/anti-spyware, are ubiquitous, with effectively universal deployment. Two other technologies, firewalls and web/content filtering, are in widespread use, at 73% and 55% respectively. No other security technology is used by more than 50% of SMBs: 49% of US SMBs use breach detection, 45% use data loss prevention (DLP) technologies, and usage levels drop for the other solutions on the list, to 25% for vulnerability scanning.

Downsides

While the benefits of some of the technologies on the list may be opaque, the drawbacks will be immediately evident in many business environments. Some of these solutions, such as encryption, are likely to negatively impact system/application performance. Others may impede easy access to resources. In both cases, it’s possible that users will react by trying to find ways to circumvent the solutions – for example, by transferring files to/through unsecured systems like Gmail or Dropbox.

In many ways, these workarounds represent the worst downside possible: they negate investments made in security technology and create holes in your defenses where they should not exist. Executives have a responsibility to strike a reasonable balance – to deploy needed technologies without creating unnecessary impediments to productivity.

Additional guidance on security technologies

There is merit to familiarizing the SMB with each of the technologies and understanding which are in use or in the plans of the organization’s IT security team. Not every technology will be needed in every scenario but understanding what an SMB is and isn’t using – and why – will help the SMB to understand its business’s IT security stance, and to make adjustments if/where needed.

Managed Services

Managed services wouldn’t be categorized as a ‘technology’ per se, but IT departments are using managed services to extend their capabilities and manage technical risk around their operations. Roughly 45% of SMBs currently contract for managed services; these firms use an average of 5.8 services.
More important than the raw number of managed services consumed by SMBs is the types of services that they need. Techaisle’s research finds that five of the seven most common services pertain to devices – managed PCs (48%), managed servers (32%), managed storage systems (29%), managed network devices (29%) and managed mobile devices (27%). Managed security services and managed network administration are also frequently used today.

The perspective on this data demonstrates the rapid growth anticipated for managed services within small and midmarket businesses. Once all current plans are fully implemented, four in five SMBs will rely on external providers for managed services, and nearly three quarters will use managed services to improve IT security within their businesses.

Each of these offerings has an impact on risk. Managed devices reduce risk by ensuring that PCs, services, storage, networking and mobile devices are covered by SLAs that specify policies for key issues like backup and patching; managed security services give SMBs access to specialists with skills that can’t be easily replicated by internal IT resources. Managed services also has another important, positive impact on risk reduction: outsourcing repetitive and/or specialized niche tasks allows IT staff to expand its focus on service delivery issues that improve user support and/or rollout of new features needed to maintain market competitiveness.

Additional guidance on managed services

Managed services should be viewed as a component of an SMB firm’s IT staffing strategy. In general, there’s potential merit in finding providers to deliver support for low-value, repetitive tasks (such as system deployment and maintenance) and for highly-specialized skills (such as IT security); also, as a general rule, there’s likely to be some benefit in having internal staff manage strategic IT plans for the business and the interface between user departments and technologies. Executive leadership can help IT to strike the best balance between internal skill requirements and use of managed services.