Techaisle Blog

SMBs are not only increasingly dependent on IT – they are dependent on increasingly-interconnected systems, which are in turn open to an ever-expanding population of devices and access points. The volumes and value of data contained in these systems continues to grow, which both increases the potential damage associated with a breach, and attracts heightened attention from hackers. Techaisle’s SMB survey data finds a disconnect between security policy and security practice that creates the potential for poorly-coordinated approaches to security – an uncertainty that is magnified by shadow IT.

In Techaisle’s latest survey of SMBs, only 13% said that they were fully prepared and confident to handle security challenges, especially mobility security. The remaining 87% were partially prepared, unprepared or unsure. These are very sobering statistics.

Techaisle’s SMB Shadow IT survey data shows that over 70 percent of applications and nearly 60 percent of IT infrastructure related spend and decision authority lies outside of IT. These expenditures are made without the IT department’s approval, guidance, or in some cases, even without IT’s knowledge. 

Security is becoming a more critical component of business rather than IT strategy.

SMB IT security managers should petition for senior executive support which will help to build an approach that safeguards the organizations, users and data, in a framework that is flexible enough to respond to emerging opportunities and threats.

SMB Mobility increases threat perimeter

The problem with mobility (like cloud) is that it changes the concept of “perimeter.” Intruders don’t need to batter through closely-guarded walls to gain access to the interior of the network; they can ride through a permeable configuration on the backs of mobile devices that have been granted access to the precious applications and data that live in the interior of the organization. It is as if the castle walls and drawbridge were replaced by windows and breezeways offering access to visitors arriving from all directions.

With mobility, the SMB user community becomes a ubiquitous and shifting source of portals through the perimeter. As a result, IT doesn’t need to only defend against recognized foes: it needs to protect the corporation from breaches that can result from the actions of its own workers, and needs to protect the same data that it delivers as an essential component of support for the mobile workforce – the workforce that is viewed by senior management as making compelling contributions to the top and bottom-line success of the business.

SMBs should consider a four-layer security framework model for deployment:

A blog “Big Data in the Cloud - an ideal solution for SMB banks” that we wrote touched a nerve, in a good way. Post blog, in our several discussions with both large and community banks we find that cloud objection is largely based on the size of the bank. In addition, regulatory compliance concerns are huge as most midmarket businesses and banks in particular spend a lot of money being compliant. With the move to cloud they want to make sure that the investment extends to the cloud without being exposed to security breaches and from a regulatory point of view.

What is clear is that migration to cloud is forcing businesses to think differently about security, in very standardized ways because the delivery of cloud service is standardized. It is also pushing them to automate security because utilization of cloud is dynamic, elastic, automated and fluid thus making manual or even semi-automated security processes unmanageable. However, this approach creates multiple vulnerabilities. The bad guys themselves are taking advantage of all the cloud technologies and are becoming a lot faster and more automated than the businesses. Security therefore becomes a moving target and cloud security is a perfect opportunity for businesses to improve defenses and reduce risks.

While most midmarket businesses are reactive, hunting after point solutions when something goes wrong, others are taking a proactive approach to risk and threat so that they have more fluidity in the way they respond when a threat occurs.

IBM security is on a path to help businesses think differently about cloud security. It is moving the businesses along a maturity curve from reactive to proactive to optimized. Optimization refers to the difference between being able to weather an attack and continue with business and how much time could one can shave off and how much cost could be optimized for being able to respond to that event in reducing risk.

As Sharon Hagi, Global Strategist and Senior Offering Manager, IBM Security, said in an interview “the state that IBM is advocating goes beyond reactive or proactive. We call it the optimized state where organizations use automation coupled with predictive security analytics to drive towards a higher level of efficiency. By mixing the elements of proactive approach, automation and security intelligence businesses can actually get to the point where they are a lot more efficient and they actually reduce time and cost to respond to risk.”

IBM is differentiating and trying to distance itself from others in a number of different ways. IBM has a managed security services practice with ten plus security operation centers around the world servicing 133 different countries with 6,000 security professionals and its research lab X-Force provides actionable threat intelligence and insights for business and IT leaders. IBM monitors 10,000 security customers globally, 70 million end-points with 20 billion events per day, has made enormous investments in security intelligence analytics platform that allows it to distill information, identify threats and respond quickly.

But for banks and businesses that come under deep regulatory scrutiny, security goes beyond managed services and is a major psychological barrier to cloud adoption triggering a high level of fear-factor. Recently, we posed a fundamental question of “Why do you want security” to banks and midmarket businesses in general. The responses received could easily be bucketed into five categories:

Techaisle’s global SMB survey shows that mobility security is the 2nd top IT challenge for small businesses and 4th top IT challenge for midmarket businesses. To delve deeper, during the course of the Techaisle SMB 2015 Mobility Adoption & Trends survey, respondents were asked “When it comes to security risk in the mobile computing context, which of the following represents a source of exposure or uncertainty within your organization?” To a surprisingly high degree of candidness SMB concerns with mobility security revolved around users. As figure below demonstrates, SMB IT respondents ranked three user-attributable issues

1. User neglect/irresponsibility,
2. Lack of user knowledge/awareness, and
3. User mishap

amongst their top five concerns, trailing only “general malware infection” as a mobility security threat. Data is where the user is and to say that the enemy is inside the tent would be an understatement.

SMBs recognize the exposure and vulnerability but Techaisle survey shows that only 16% of SMBs worldwide are fully prepared to handle mobility security challenges. Data also shows that like manageability, security is an important constraint on mobility adoption within the SMB market. Most MSPs, channel partners and suppliers continue to focus on BDR and/or anti-malware security as they are easy to offer and deploy but they represent a very narrow approach to larger security issues within SMBs.

If the “office” is defined by devices then “workplace” is defined by the ability to work from wherever those devices (and their users) are located. In this vein, “work” typically includes a requirement to access corporate data with mobile devices.

Data from the Techaisle 2015 SMB Mobility Adoption and Trends survey finds that more than 80% of small business employees and 55% of workers in midmarket firms require mobile access to company data. Providing this access and the applications, devices and solutions represents an enormous investment for SMBs that are typically very conservative in their IT budget allocations.

By more than a 2:1 ratio, SMB respondents believe that mobility is a means of driving growth in the business. But mobility does not deliver business benefits painlessly. The introduction of mobility solutions has created new issues for IT management, and suppliers who can help to address these issues will gain favor in this community.

Addressing the needs of the “dual mode” user is a non-trivial issue. In the Techaisle survey, both small and midmarket firms report that users access a combination of business and personal resources via their business-connected (both corporate-owned and BYOD) mobile devices. This reinforces the importance of some of the solutions being currently used or planning to be used by SMBs. These are solutions that help manage mobile devices that deliver access to corporate information without downloading data and applications themselves (such as thin clients and Windows-as-a-Service) and methods of securing data when it is exchanged between mobile devices and external users and where users themselves move seamlessly between corporate and personal usage modes on devices that are connected to corporate networks.

Mobile devices are an essential component of mobility but mobility itself extends beyond hardware to applications, solutions and work habits. Techaisle’s 2015 SMB Mobility Adoption Trends research shows that the “dual mode” SMB user represents a specific problem for SMB IT staff and the challenges of supporting a mobile workforce go well beyond the device.

Small and midsized businesses have different challenges in supporting the mobile workforce

Looking first at the small businesses, we see that managing TCO – which includes, in addition to typical IT expenses, service charges that are unique to mobile devices – is rated as the most significant challenge by small business respondents. These firms also struggle with the “on ramps” to mobility: finding appropriate suppliers and solutions and integrating multiple screens are also ranked in the top five challenges encountered by 1-99 employee firms in support of the mobile workforce.

Midmarket firms also count TCO as their most significant challenge. Rather than struggling with mobility on ramps, though, midmarket firms are more concerned with security/data protection and mobile management. Network security, protecting corporate data on mobile devices and managing these devices are all top-five mobility challenges for midmarket IT – and further evidence of why mobility solutions addressing these issues are essential to this community.