The increasing annoyance of Web threats has alarmed organisations towards implementing more comprehensive, preventive security solutions. As far as security environment at Small and Medium Enterprises (SMEs) are concerned they are now no longer different from their large enterprise counterparts. The time has come for Indian SMEs to frame a strong security policy.

The explosive growth of the SME sector is driving the ultimate growth of the Indian economy. The increase in mobile workers and the growth of internet have compelled SMEs to embrace IT. With the advent of broadband at competitive prices, the threat of malware/virus attacks and spam has escalated. In a global perspective in the cyber space, threats are common for an SME user or a corporate user. What matters is how critical the data is and how secured it needs to be. Till recently Indian SMEs focused on deploying basic stand alone security solutions. But as businesses progress towards deploying firewalls, VPNs and IDS, managed security services will offer the twin benefits of convenience and cost-effectiveness.

According to a recent survey by AMI Partners, Indian SMEs are expected to spend close to $161 million on beefing up their IT security solutions this year. This is a whopping up of 41% over last year. This investment may be contributed to the growth of usage in the internet as well as strict rules to follow regulatory compliance standards. According to the survey, almost 50 percent of India's MEs (100-999 staff) and 36 percent of SEs (1-99 staff) have experienced malware attacks and hard drive failures over the past 12 months, emphasizing the need for better security protection.

Security Scenario at SMEs

According to IDC, there are about 10 million organizations that can be classified as SMEs. These organizations spend about Rs 3,400 crore on IT products and services. In a recent IDC market analysis report titled ‘Worldwide Antivirus 2004-2008’, 31% respondents indicated Viruses, Trojans and malicious code as the greatest threat to their businesses along with Spyware which is ranked as amongst the top four threats for SMEs today. Majority of small businesses are using pirated software which makes them vulnerable to a virus attack. Because small businesses do not update their systems with the latest patches, it makes them a soft target for attacks. Small companies have small networks, which can be managed efficiently by the internal IT teams of these organisations. Opines Ajay Verma, director, Channel and Alliances, Symantec India, “Right now, we're seeing an increase in phishing, spam, bot networks, Trojans, and zero-day threats, and more malicious code being created to target specific organizations for information that can be used for financial gain. We're also seeing an increase in data theft and data leakage.”

Indian SMEs are looking at an integrated security box that meets the complete security requirement and they are looking beyond the price tag and giving weightage to hassle free solutions. Informs Niraj Kaushik, country manager, Trend Micro, “Many growing businesses benefit from the ability to focus and execute at a fast pace, but often suffer from lack of IT resources. This can pose a serious challenge for smaller businesses that need to broaden their security strategy. Enterprise anti-virus and anti-spam products, designed for companies with extensive IT resources, are too expensive and unwieldy for smaller organizations to manage. Rather than struggling with cumbersome point products created for large corporate networks, small and medium-sized businesses deserve a practical solution tailored to fit their distinct security and spam-fighting needs.”

Need for a Strong Security Policy

Moreover, one of the biggest mistakes SMEs make is assuming that since they're small, hackers won't be interested in them. Unfortunately, just the opposite is true. SME servers and home users are, in many cases, now the preferred targets of choice for attackers for the installation of bots, spam zombies and phishing websites, namely because they're easy targets. After all, information in SME databases is often just as valuable to an attacker as that contained on an enterprise database, as any user, system or personally identifiable information can be sold or used for identity theft. And, since large companies have more resources, they're getting smarter and their systems have become a lot harder to penetrate.

Near about 61% do not have a security policy in place. Among those companies that do have a security policy, they are largely in the BFSI and the chemical segments, where CEOs are involved in formulating the security policy. Ajit Pathak, country manager, Sales Operation, SecureSynergy expresses, “Security policy should be framed as per the business objectives of the organization. All the 3 Ps are important--People, Process and Products. People are still the weakest link; ongoing information security training and periodic security audits can build a strong security framework.” He further added that lack of qualified security professionals managing IT infrastructure and adding to that are the dynamics in security technologies which keep on changing--they look adequate today but become obsolete tomorrow.

SMEs need to have a security policy that not only identifies the key assets that need to be secured, but which assets will be extended to whom. For example, their security policy should include things like installing and updating antivirus software, installing a firewall, checking for encryption and authentication, creating strong passwords, and updating Web browsers. Says Verma, “The purpose of the policy is to guide users in knowing what is allowed and to guide administrators and managers in making choices about system configuration and use. And, by going through the process of creating a security policy, SMEs will be able to establish specific security goals and a plan for tackling them.” Security plans are to be carefully developed and the associated processes to be analysed properly.