Hemayun Bazaz, Regional Manager, Channel Sales, Middle East and Turkey at Aruba, a Hewlett Packard Enterprise company, elaborates on how SMEs are a growing target for cybercriminals in the Middle East and why specialisation can help partners be successful here.
The threat to SMEs comes from the wider trend for cybercriminals to target the individual, as well as the enterprise. With the consumerisation of IT and BYOD, workers carry a great deal of sensitive data on their smartphones that is exchanged back with their company servers. This makes single devices a potential gateway to a wealth of company and private data. If employees are working remotely, for example from a café using guest Wi-Fi, that can also add a layer of vulnerability unless the correct security policies have been applied to the user and device based upon their location.
Typically, the SME market lacks the in-house IT expertise that is required to monitor and secure the network at the individual device level, meaning they may be viewed as an easier target by cybercriminals, as recent attacks have suggested.
Key cyber threats facing SMEs
Most employees believe IT has their back so the weakest link are many times the staff themselves. Our recent research has shown that, in order to get the job done, six in 10 workers are sharing their personal device with colleagues. In the fast-moving world of SMEs, we see a good deal of entrepreneurial spirit, lots of sharing of information and a fairly minimal focus on company security policies. This has an impact – a third of workers admit to losing company data through misusing a mobile device.
The answer is not to restrict employees sharing data or connecting using mobile devices. It’s about providing a secure infrastructure for them to work in. Even for a small firm of just two employees, formalising an approach to information security is crucial. Such a policy should cover roles, devices, locations and other contextual attributes, securing corporate information and systems without impacting usability and employee productivity.
In the past, SMEs have lacked this kind of expertise in-house, but through growing partner networks that offer service models via the cloud, they are now able to access expert consultancy and infrastructure without paying the premium price.
Protection measures for SMEs
SME leaders need to nurture creativity and a degree of risk taking in order to get the best from their workforce, while at the same time recognising that attacks will happen and to have a contingency plan for this. Inevitably, this puts a lot of pressure on IT to take an adaptive trust approach to device connectivity and data security.
It starts with identifying individual worker preferences in order to build secure infrastructures around them. Employee training comes next, and this should not only include a needs-assessment by employee type, but should also educate employees on why such actions are important and how they can assist in improving company security.
There must be a mechanism for employees to provide feedback to IT and a service level agreement should be in place for how to respond to employee input and requests. Often IT is able to improve the effectiveness of workflows and policies simply by listening to employee feedback.
“Channel partners need to realise that if they are to capitalise on business opportunities in the increasingly growing SME space, they need to develop strong security capabilities in terms of both product portfolio and technical capabilities to act as consultants as well as carry out implementations.”
How SMEs adapt to the preferred behaviours of their workforce may be the make or break for long term growth. Embracing the need for openness, innovation, collaboration and some degree of risk is good – but only when an organisation can understand and plan for the security risks these behaviours bring with them.
From a channel point of view, the SME segment is a very lucrative one. The sales cycles are comparatively shorter and more predictable. Channel partners need to realise that if they are to capitalise on business opportunities in the increasingly growing SME space, they need to develop strong security capabilities in terms of both product portfolio and technical capabilities to act as consultants as well as carry out implementations. They also need to create specific SME focused teams and work very closely with vendors to address this space. Security is still one of the least crowded areas within the channel and partners who take the lead and invest in being ready to serve customer security needs will certainly be selling into a less competitive area as compared to traditional systems integration within networking or other IT fields. Specialisation is the key to success. Specialisation requires a mid to long term approach. Planning for training and certification is a core requirement of specialisation and needs to be proactively managed. If done early it becomes a natural strength of the partner organisation.