Small to midsize businesses (SMBs) face most of the same security challenges as enterprises on a daily basis yet they typically lack the dedicated security staff expertise and resources of larger organizations. Although precise estimates vary, somewhere around half of all security incidents affect organizations with less than 1,000 employees. Sure, data breaches at Target and the IRS are what make the news, but it’s important to remember that the threats to SMBs are very real and just as common—even if staggering dollar figures aren’t always involved.
In many cases, a SMB’s IT administrator faces the same threats that teams of his or her enterprise counterparts face, except that he or she is likely to face them alone while trying to deal with 20 completely unrelated issues at the same time. This makes designing a security solution for a SMB audience a difficult contrast between ease of use and state-of-the-art technology shielding.
Small fish still make big target, though. In a Visa and National Cyber Security Alliance (NCSA) survey of 1,000 small business owners, 85 percent believed that enterprises are more targeted than they are, yet another survey by the same group found that 20 percent of small businesses suffered a data breach in 2013.
So, as long as your data holds value, criminals don’t care how big your company is. Data that holds value includes employee and customer personal and banking information, sensitive corporate intellectual property (IP), sales and product information, and company financial information such as payroll data. There’s also another angle: criminals can use the systems of a small business to exploit trust relationships with larger businesses. If this is the case, then the small business is held responsible for the damages done.
Small But With High StakesObviously, the stakes are high in SMB security. Therefore, selecting SaaS endpoint protection software is a critical decision for IT administrators of SMBs. In many ways, you’re choosing a partner that is going to help you secure servers, desktops, laptops, and mobile devices. This is likely to be a long-term partnership because you don’t want to evaluate software solutions, roll one out, remove it, reevaluate, and redeploy. So, look for someone who has a track record of combating threats by evolving, refining, and adding new protection technology as applicable.
This partnership is solidified when you choose a SaaS package instead of an on-premises package because, instead of buying software that you run yourself, you’ll have daily interactions with software that’s administered (and updated) by your vendor. SaaS, or cloud-based, endpoint protection software solutions have the advantage of reducing the complexity formerly required by their on-premises predecessors that typically run on dedicated servers. SaaS endpoint protection software solutions save you a great deal of time and effort that would otherwise have gone into hardening and patching the underlying server operating system (OS), and patching the management console and its underlying infrastructure.
Cloud-based services can also be managed outside the office, which was possible to do but not that easy when the management server ran on-premises. In many cases, a hosted management console can be accessed and easily used from a mobile device. As an SMB security administrator, imagine getting an email alert on your phone that the business owner has encountered malware, then being able to log in to the management console from your phone’s browser and initiate remediation activities.
Another important advantage is that SaaS software solutions provide protections (and updates) to devices that are off of the corporate network. When your coworkers take their laptops on the road with them, they continue to be protected, and you retain the ability to monitor and manage their devices. Previously, once a laptop left the office, a security administrator might have to wait until it returned (or was connected via a VPN) to assess its security status, push updates, adjust policy, or remediate threats.
Many SMB’s employees heavily rely on mobile devices to do their jobs. This means that mobile platforms represent as rich a target to hackers and malware as office-based systems. Many businesses overlook mobile device security, leaving this data-rich target unprotected or entirely in the hands of employees who may or may not deploy consumer-grade protections.
Security vendors are responding to these threats and have added protections for Android and iOS tablets and smartphones. Make sure to ask SaaS endpoint protection software solution providers if mobile is included (or at least available) and can be managed through the same hosted interface. You’ll find richer security support for Android than for iOS. Much to the chagrin of customers, Apple selfishly continues to push its marketing agenda that iOS devices are safe from malware and refuses to work with security vendors. Vendors offer to manage devices (e.g., locate and remote wipe) and security policy (password strength, application control, and Wi-Fi settings) for iOS and Android, while offering full security software (e.g., anti-malware application scanning, firewall, and intrusion prevention) only for Android.
Evaluating SaaS Endpoint Protection Software SolutionsPicking the right cloud-based or SaaS endpoint protection software solution is an important decision for a SMB. Choosing the wrong product could result in creating a false sense of security amongst users and management, and creating a management nightmare for administrators. Products that are needlessly complex are fine for enterprise security admins who live and breathe inside a management console, but you don’t want to waste a SMB security administrator’s time and effort—two things that are not in overabundance in any SMB.
For this reason, and because there are significant differences between them, management consoles should be a critical decision making factor when selecting a SaaS endpoint protection software solution for your SMB. The best management consoles are uncluttered, intuitive, and have context-sensitive help waiting in the wings. Dashboards should provide a thorough assessment of company-wide security status and, when something is wrong, provide a quick and easy way to dive deeper, assess the issue, and resolve it. Reports should be helpful and informative whether they are active or passive or both. Policies should be preconfigured using best practices, with the ability to quickly and easily make changes should the administrator desire.
For a busy SMB security administrator, alerts and notifications can be critical time-savers. Some may choose to stay logged in to a SaaS endpoint protection software solution, occasionally glancing at dashboards and interactive reports. Others may deploy their agents and then move on to other matters, depending upon notifications and scheduled reports to keep them up-to-date on the security of users and devices. If this is the case, pay particular attention to the number of possible notifications (such as malware detected, Web content policy violated, and potential malicious URL visited) and the capabilities of the product to manage (i.e., set thresholds and escalations) the alerts.
FEATURED IN THIS ROUNDUP
Sophos Cloud Endpoint Protection$14.33SaaS endpoint protection software solution Sophos Cloud Endpoint Protection combines an outstanding management console with good protection scores in our lab tests. Server lockdown, user-based policy management, and new application control features are its strong suits. Read the full review ››
McAfee Endpoint Protection Essential for SMBs$24.65McAfee Endpoint Protection Essential for SMBs talks about making SaaS endpoint protection easy for SMBs likely but doesn’t do enough for most. The ePO Cloud management console is complex, with workflows that are often disjointed and awkward. However, if you can handle the interface, testing shows that McAfee’s protections are solid. Read the full review ››
F-Secure Protection Service for Business$110.00F-Secure provides excellent endpoint protection but with a dated, cumbersome management console. We welcome the upcoming update to the console’s look and feel, although it won’t add features we’d like to see such as better reporting, customizable email alerts, and a customizable dashboard. Read the full review ››
Avast Software Premium Business Security$120.00Avast Premium Business Security is a good step up from the free offering, yet lacks many of the features (like reporting) required for businesses to take it seriously. An upsell front and center on my dashboard tells me that Avast doesn’t even take itself seriously. Read the full review ››
Kaspersky Lab Small Office Security$149.99Kaspersky Small Office Security is an extremely basic web management console tacked onto Kaspersky’s consumer product. It lacks many of the features businesses require and will only appeal to those who usually buy a consumer product for business. Protections are outstanding; management is insufficient. Read the full review ››