Yet the security of SMBs has become a mounting concern. While attackers are increasingly focusing on small businesses, only 10 percent of businesses with 250 employees or less have a full-time IT administrator, according to a 2012 study conducted by Symantec and the National Cyber Security Alliance. The study found that nearly 70 percent of companies did not even have an informal Internet security policy or provided their employees with security training.
Managing 100 or 1,000 desktops and a handful of servers, information-technology managers at smaller firms find themselves drawn to cloud services for their ease of use, but are frequently uncertain at how to protect their systems or data, says John Howie, chief operating officer for the Cloud Security Alliance. "The average small or [midsize] business cares that their system is secure, but they don't have the time or the resources to ensure that they are secure," he says.
For that reason, the CSA announced in April the formation of the SMB Working Group, which will focus on providing advice and information on the secure use of cloud services. While the working group will not publish a report before November, cloud providers gave four suggestions for SMB executives and managers to keep their businesses safe today.
1. Rely on cloud for expertise
While some midsize businesses have enough security expertise to move their systems to the cloud as part of a more hands-on infrastructure-as-a-service option, for most SMBs software-as-a-service works best, says Carson Sweet, co-founder and CEO of CloudPassage, a cloud security provider.
"It's a great option because, if they don't need the flexibility, it takes a huge amount of responsibility off of their plate," Sweet says.
[Straight-shooting advice -- and some out-of-the-box thinking -- on how smaller companies can save money on security while doing it better. See 5 Ways For SMBs To Boost Security But Not Costs.]
For the most part, software-as-a-service providers will help SMBs offer their employees the business services they need while taking care of most security concerns. In most cases, SMBs should not be running e-mail, file, or Web servers unless the service is a differentiator for their firms, the CSA's Howie says. Instead, companies should benefit from the security expertise of cloud services.
"Don't try to run that stuff in-house because chances are that you will expose yourself to data theft or data loss," he says. "Outsource all that headache to the cloud and the cloud provider, and they will do a better job."
2. Interrogate your cloud provider
In that vein, SMBs have already taken to cloud services, whether by choice or because employees have jumped on the bandwagon without consulting management. About six out of every 10 SMBs uses cloud services, with the average spending reaching 12 percent of the information-technology budget, according to IT tools maker and community hub Spiceworks.
Yet, before signing on with a cloud provider, prospective customers should do their due diligence, says Joel Smith, chief technology officer and co-founder of AppRiver, a provider of cloud services for SMBs.
"It would be very simple for any size company to do a due-diligence check list," he says. "The questions can be asked in a way that you can tell if the provider knows what they are doing, and you can tell if they have thought these [security] things through."
A good start is the Shared Assessments program, which standardizes the process for vendor assessments and has a free manual (PDF) available for assessing cloud providers.
3. E-mail and Web security: No brainers
A group of basic business services should be considered a no-brainer for most SMBs: e-mail, Web hosting, and file-sharing services, say cloud providers.
"Given that cloud providers are very good at running very secure infrastructure, you are probably better off going to the cloud for simple workloads, such as e-mail, document collaboration, unified communication, telepresence, and CRM," Howie says. "If I were starting up a small business, there is no way I would consider having on-premise IT anymore for e-mail or document collaboration."
Cloud providers are able to provide e-mail infrastructure with antivirus and anti-spam filtering for about half the cost of having an in-house server, according to AppRiver's Smith. And Web security, by using a cloud proxy service, can stop employees before they get infected by going to a malicious Web site.
"Do a quick, broad check of your traffic to make sure that your users don't go to compromised Web sites in the first place," Smith says. "We have plenty of scenarios where a customer signs up and they find that they are compromised and they didn't know."
Finally, companies should look at augmenting the security of business services with additional cloud security. Vulnerability-management providers that frequently scan Web sites for flaws and Web application firewall services that block attacks on companies' Web sites are examples of services that can help a company defend its borders.
4. Access management, backups: depends
Two businesses services that can work in the cloud but may not be a slam-dunk for smaller firms are access management and automated backups.
External access-management services -- such as Windows Azure Active Directory -- are generally not designed for internal devices but for managing external access to cloud resources. For that reason, keeping Active Directory in-house is easiest.
Storing backups in the cloud benefits from all the other advantages of cloud services, such as the expertise concentrated at the cloud provider and the fact such backups are automatically taken off-premise -- a key security requirement of a good backup strategy. However, even small companies can create massive amounts of data, which can make cloud backups slow and data restoration even slower.
Yet that depends on the service provider, argues Piyum Samaraweera, director of product management for online backup provider Carbonite. The company has come up with its own strategy to get around bandwidth limitations: The company restores data needed most by the client first and then completes the process as quickly as possible. If the company needs all the data as soon as possible, Carbonite will overnight the information on physical media.
A large part of the process is giving the best support, Samaraweera says.
"If they have a catastrophic event that deletes critical data, we advise the client on the quickest way for them to get back the data," he says. "We walk them through the process of bringing the data back to the computer."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.