Konstantin Voronokov from Kasperksy Lab tells us why SMBs need to understand and invest in security now more than ever
In 2013, 83 percent of SMBs were happy to spend money on enterprise-class solutions to guarantee sophisticated IT security for their company. However, things have since changed, with some migrating to free solutions and others using consumer products for the business environment.
As a result we now see 21 percent of SMBs using free solutions to ensure the safety of their work. Our study showed that in the absence of IT professionals, half of companies surveyed will opt for a free solution. Interestingly, it’s not just small businesses that use these free solutions. A small but still significant number of medium and even large companies (3 percent of each) also prefer to use such products to protect their critical infrastructure.
I discussed the topic with a friend who runs his own small café. When I asked him about his IT security he simply shrugged it off, asking, “Is it such a big deal? My free antivirus program I have on my business laptop and that’s it. IT isn’t my core business, so “why should I worry about it?”
With this in mind, we decided to look at whether free antivirus software is really free of charge, and whether it can actually offer reliable protection against the threats facing businesses today.
Like any ambitious businessman, my friend wants to develop his café business. He owns three computers and one small server where all his data is stored. Employee smartphones are also registered on his Wi-Fi network, enabling them to access corporate emails and other data. The café also has an online store created on a free platform.
Free software offers basic functionality and the perception is that the business is too small to attract hackers, however, statistics do not back up this way of thinking.
According to research by IDC there are almost 80 million businesses worldwide that employ less than 10 people. This suggests that small businesses make up a significant share of the global economy. However, unlike large corporations, they are often unable or unwilling to invest in information security. While these large corporations tend to suffer from targeted and carefully planned attacks, smaller firms often fall victim to malware epidemics and offer a quick and easy target for hackers to steal money from.
Sometimes small businesses, especially those in service industries, are caught in the collateral damage from a large-scale campaign against an organisation whose employees use their services. In cases like this it is often possible to avoid direct financial losses but once a reputation is damaged it can take a long time to recover.
So why should a business think twice about using free security solutions?
The first issue is a commercial one. Perhaps the most important feature of any IT security solution is regular updates of the antivirus database and the application itself. That’s a time-consuming process and it costs money. How can a vendor cover the cost if they don’t have any other commercial security products bringing in revenue?
It’s quite simple: If the user does not pay, then someone else pays for them. This ‘someone’ is often an advertiser. For an advertiser, free antivirus software is no different from other free services such as Facebook where users make a potential audience for viewing adverts, and the revenue from this advertising keeps the service going. To help the process, manufacturers often install a default browser toolbar, redirecting to their own search engine. This is designed to collect information about users, their browsing history and their online behaviour, in order to deliver as much contextual advertising as possible.
It’s clear that the main task of the ‘free antivirus’ developer is to meet the needs of advertisers and their revenue source, rather than ensure the safety of users.
The next problem is functionality. If a vendor is not selling its user data to advertisers, the free solution is usually a reduced version of a commercial product. Many free solutions distract users with pop-ups trying to persuade them to purchase an enhanced version. In most cases, the free solutions have limited functionalities and only provide basic protection against cyber-threats. Any additional security services such as protecting financial transactions, encryption, data leak prevention, backup copying or protecting mobile devices are not provided. Technical support is also usually limited and often additional elements and plugins are installed by default, taking up valuable resources and slowing down the system.
So how can anyone get the necessary protection without spending too much money?
It’s a question of balance between needs and desires. If you sell jewellery via a page on a social networking site, or run a street-food kiosk, a free solution might be good enough for you and you might be able to overlook the shortcomings. However, if you want to develop your business and increase the turnover, you need to consider providing an appropriate level of security for information resources.
After much discussion, my friend and I agreed that it would be wrong to choose an IT security solution based on price alone. The assurance that your business is safe and nobody can commoditise you for an advertiser is priceless; the rest can be purchased at a reasonable price on flexible terms.
A fully-fledged IT department is a serious consideration for any small business plan, and hiring an outsourcer to focus on IT security issues remotely, leaves small business owners free to continue to do what they do best – grow.
Konstantin Voronokov is head of endpoint product management at Kaspersky Lab
Are you a security pro? Try our quiz!