Introduction—SMBs and IT
It is easy to dismiss the issues small and mid-sized businesses (SMB) face with regard to information technology (IT) as small beer compared to sorting out the problems of big businesses. But SMBs are as reliant on IT and face many of the same compliance issues of their larger counterparts. True, most SMBs are not listed companies and therefore not answerable to stock market regulators, but most trade with businesses that are, and many industry and governmental regulations apply equally to companies of all sizes. In short, SMBs can no more afford to take short cuts with IT security than any other organization—the problem is that they often do, either through ignorance or simply lack of time. This is not just a problem for SMBs themselves because they are integral parts of many business processes that are critical to larger organizations. Increasingly, the process of communication between the two is online and automated. If an SMB’s IT infrastructure is compromised in some way, this may bring a whole supply chain down. In short, it is in everyone’s interest that SMB IT security is at least adequate and in many cases much better than this. This report looks at where SMBs stand today with regard to IT, where the security threats lie and the challenges SMBs face in overcoming these. The report should be of interest to anyone responsible for running an SMB, especially if this involves overseeing the use of IT, and anyone who trades with SMBs—which is pretty much all of us.
What is an SMB?
Most IT vendors see the SMB market as the goose that could lay many a golden egg, if only they could understand what that market is and how to engage with it. The truth is that there are as many definitions as there are suppliers who want to tap the market. Anything from a sole trader up to an organisation with around a thousand or so employees and a stock market listing may be considered an SMB. The research Quocirca conducted as background to this report covered that whole gambit, apart from the very low end, which is usually referred to as the soho market (small office – home office). Even comparing two SMBs of the same size can be fairly meaningless. A lawyer with 50 employees may have a PC for every one of them, whilst a cathedral with the same number of staff may be pretty much devoid of IT—and there are all shades in between. Ten years ago a delivery company with 50 drivers may have just had a few PCs back at base to co-ordinate things, but today there may be a mobile device in every vehicle connected by 3G or GPRS receiving regularly updated instructions to make the whole operation more efficient. Trying to ring fence SMBs is like herding cats and their use of IT, and therefore IT security requirements, are very varied. Suppliers who succeed in serving the SMB market are those who understand this and come up with flexible products and services. One way of dividing SMBs into two groups is those with just one location and those with multiple locations (Figure 1).
A clear challenge for the first group is business continuity; the majority have IT and employees housed in that single location (Figure 2) and if fire, flood or some other factor renders it unserviceable business stops altogether. Any SMB in this situation would be well advised to get IT off-site; this is easy these days with plenty of third parties offering co-location facilities, but the majority do not bother (Figure 2).
Those with more than one location could build in some resilience by having duplicate IT infrastructure at more than one premises. The majority will not be doing this so, in reality, they are no better off. Those with multiple locations also face issues with communications security when sending information between premises. Most will be using the public internet to this end, which is practical but insecure. Those with just one office are communicating with third parties anyway, also over the internet, and so face the same communications security issues.
