Risk
3/11/2014
07:57 PM
50%
50%

Security Services Cater To SMBs

Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage

Small and midsized businesses will gain more choices in 2014 for securing their data and networks using cloud and managed services, rather than buying and installing products inside their perimeters.

A handful of security firms have announced simpler versions of their enterprise cloud security services, slimming down the signup process and removing complex configuration options to make the offerings more useful for smaller companies. In other cases, security vendors traditionally targeting larger firms have provided the infrastructure for managed security service providers to step in, set up and maintain digital defenses for smaller companies.

Cloud security firm Zscaler, for example, is beta-testing a slimmed-down version, dubbed SHIFT, of its enterprise security offering, limiting the dashboard to a single page and aiming to get companies "up and running in 5 minutes or less."

"If you are doing it right, security should be on or off," says Patrick Foxhoven, chief technology officer for emerging technologies at Zscaler. "They need the technology, but they don't need all the complexity."

SMBs are among the largest adopters of cloud services. In 2014, the average SMB will spend 14 percent of its information-technology budget on cloud, and another 11 percent on managed services, according to information-technology managers surveyed in the 2014 State of IT Budget Report (registration required) published by SMB information services firm Spiceworks. While many smaller businesses are hesitant to use cloud services, 94 percent of firms say that moving to the cloud had a positive impact on security, according to a June 2013 Microsoft survey.

Because many SMBs do not understand their security needs, they put themselves at risk, Stephen Cobb, a security evangelist for antivirus firm ESET told attendees at the RSA Conference in February. Cybercriminals are finding the combination of valuable assets and lack of security awareness in smaller businesses to be a sweet spot for attacks, he said.

[New study highlights uncertainty among small to midsize businesses on cyberattacks and threats. See SMBs Unsure And At Risk, Survey Finds.]

SMBs that want to harden their business against attacks should follow a process of ABCDEF, according to the company: Assess the business's assets, risks, and resources; build a policy; choose the security controls; deploy security measures; educate employees and vendors; and further assess the company's security.

Yet, many small and medium business want simple security measures that give them visibility into what risks may be affecting their networks, whether an attacker compromising computers or a rogue employee exfiltrating data. Getting rid of the complexity is important, says Wolfgang Kandek, chief technology officer at Qualys, a cloud security provider.

"From a philosophical point of view, I think the problem is that security is very complicated," he says. "So we have been trying to make it easier and make it very approachable."

When Qualys aimed for the small- and midsized business market, the company decided to strip out the more complex functionality from its service. Last year, the company announced its vulnerability management offering for smaller firms, QualysGuard Express Lite. At RSA in February, the company went even simpler, announcing--in conjunction with the SANS Institute and the Council on CyberSecurity--a service to scan for the Top-4 Critical Security Controls, which, historically, could have prevented 85 percent of breaches.

Many smaller companies do not have the expertise to assess whether their network is at risk or what policies might help them secure their data. For those companies, a managed security service provider can be the expert to offer advice and manage the security of the network, says Seth Geftic, associate director of RSA Security Analytics. A number of firms have targeted the SMB market, including Dell SecureWorks and Trustwave.

In February, security firm RSA announced it had partnered with Verizon Enterprise Solutions to make its enterprise-focused products available as a service to smaller companies as well. Those companies can benefit from an experienced security consultant, Geftic says.

"Partners can really help out by providing the skills," he says. "Not just be a service, but analyzing the data and telling the customer what they should be going after and what they should be doing."

Whether they choose a cloud service or a managed provider, SMBs looking to improve security will have a lot more options in 2014.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?