Advertisment

Data Security: A Good Talking Point But Only a “Grudge Purchase” Amongst SMEs

author-image
Dhaval Gupta
New Update

One of my SME customers, a readymade garments exporter, went through a harrowing time last month. One of their foreign buyers transferred their payment online and confirmed them about the successful transfer. After a few days, this SME realised that the money had not been transferred to their bank, but to some other bank in China, with whom they had no relation whatsoever. The customer claims to have received a mail from the SME (and that too from the SME owner's account) asking them to transfer money to this account in China. It seems that the customer's mail account was compromised, although the customer claims to have not not shared his password with anyone.

Another SME customer recalls how their mail account would not open, one Monday morning. This was the only account that they were using to discuss business with their customers. Frantic calls to the webssite hosting company, the email providers and to their own SI resulted in vague answers such as hacking, virus, malware, etc.

Advertisment

publive-image

A third SME owner recalls an incident when he decided to increase IT security within his office. They created and implemented a strict IT usage policy across all branches. The policy barred people from using external, high risk devices, such as pen drives and CD writers. They tried to ban use of sites on cricket, etc. during office hours. Unfortunately most of his people reacted negatively to this move citing trust issues. No amount of discussions with the seniors could convince them.

Similarly, another SME owner bemoans the fact that his decision to increase IT and physical security, by using video surveillance, at his office and factory was met with stiff resistance by almost all, citing trust and faith issues.

Our experience of IT Security at SMEs is not very encouraging. Most SME owners discuss security breaches as a phenomena that can potentially occur only at large organisations, and that they need not bother about this. SMEs are increasingly being targeted, but many believe they are not on the radar of the cyber criminals.

So although IT security is still an area of concern for all stakeholders, most SME customers are only willing to discuss it, but not too comfortable implementing it.

Some of the reasons, as per our understanding are:

- Lack of knowledge on the potential hazards

- Lack of knowledge on Data Management

- Lacking on Industry Best Practices

- Lack of resources to manage

- Nobody bothers till it actually hits the organisation, hence not an area of priority

- High perceived cost of avoiding a threat (better to copy data on external

HDDs, etc)

SMEs Not Aware of Potential Hazards

Most customers assume that they are very secure, and the very basics of IT security precautions are not been addressed. Most SMEs are still not too comfortable using data in their decision making process. Lots of major decisions are still being taken by instincts rather than actually using hard facts based on past data. This we feel is more applicable to SME owners who are still not sure of automation in their respective organisations.

We call these organisations followers. Followers are those organisations, who are most probably waiting for their suppliers, vendors, OEMs, even competitors to automate and try out the newer technologies before they themselves implement them.

We are always on the lookout for leaders who are at least open to changing their mindset. The leaders are either willing to or have already embraced technologies in their day to day working. These are the organisation with vision and with maturity. These SMEs are the ones who have realised that there competition is not only from Indian organisations but from similar SMEs, offering services in Pakistan and Thailand and even Brazil.

With the increasing use of online as a medium of buying goods and services, security risks cannot be wished away. Use of credit cards for online purchases, have only increased the risk.

One of the biggest hindrance for adoption of cloud by the SME sector is lack of confidence on data security. The issue of data protection and compliance continues to bother the SME sector.

SME owners also feel that one may have the best technology in the world, but then a simple discussion with a careless employee can reveal all details to the world outside.

Most of our customers still do NOT have full faith in discussing IT security with vendors. Security discussions still waver around anti viruses and firewalls. Our efforts to try to convince the SME to at least look at securing their data, mostly ends up with reluctance on the need and the perceived wasteful expenditure. Since most vendors try to talk products, rather than present a holistic approach to security, the disconnect is almost immediate and mostly long term.

SME owners also complain about the high cost and bemoan the fact that they have to live with "outdated technologies". Of course lack of a pre planned budget is a major bottleneck for this. Most SMEs cannot afford the high capex as well as the high cost of management.

It is ironic that IT security solution providers still have to sell security concepts & solutions to the customers. We strongly feel that SMEs need to be educated on the importance of securing their data both form external and internal threats.

One grey area we came across was the almost total lack of accountability of IT assets within the SME premises. SMEs should try to focus on the IT assets and their location and should develop and implement a tracker system for their IT assets.

SME customers still treat this as buying insurance and end up buying whatever is absolutely necessary. This is mostly a reactive purchase, post some major or minor security breaches. There should be a pre-emptive action plan on securing data. It still remains a good talking point amongst all stakeholders and mostly remains a "grudge purchase".

Advertisment