A client of solution Provider Axess Communications found himself in serious trouble, in a most unexpected way.

The client, a small-business owner, had hired a friend who was given complete access to the company's database, web site and customer lists. Some time later, the friend announced he was leaving to begin work at a family business in another industry, thanked Axess' client for the opportunity to work for him and left on excellent terms.

The following week, the client learned this "friend" had not gone into the family business after all, but had created a web site almost identical to his, and was soliciting business from his customer base. This friend, before leaving the client's employment, had stolen copies of the web site and the entire customer base, turning himself into an instant and formidable competitor. Axess was hired to track thumbprints on the data to prove it was stolen. The case is ongoing. The friendship? Likely over.

This type of internal threat to a business network is becoming just as real, and just as costly, as the external threats the industry has long waged war against. In February 2009, The Washington Post reported on a survey by the Ponemon Institute, a research group, that found nearly 60 percent of employees who were asked to leave a job, or who quit on their own, stole company data. "An alarming finding from the survey showed that 24 percent of respondents said they still had access to their employer's computer network after they left or were let go," the story reported.

Sometimes the internal weak link is inadvertent – an infected iPod brought in by an employee or an outside consultant who does not follow procedures. Sometimes it's not.

A recent survey by software publisher Symantec of SMBs found that 27 percent of respondents reported loss of data from deliberate sabotage by employees, and an equal percent reported data loss from theft. The weak economy and its accompanying layoffs (more than 2 million people were laid off between January 2008 and March 2009) have also helped spur employee data theft, say observers.

This grim news helps explain why the opportunity for solution providers in the SMB security market is so significant right now.

SMBs: A Channel Sweet Spot
The need for security among SMBs, who often lack the financial and technical abilities to implement their own comprehensive security solution, is a "sweet spot" for solution providers with the right skills, according to Dan Kummet, Axess' director of business development.

Mike Wray, president of solution provider Trilobyte Sales, agrees. "SMBs are becoming aware there is a (security) problem," he says. "They fire an employee who was carrying around a flash drive, and data disappears."

Until only recently, most SMB customers didn't think twice about the security risks of flash drives or wireless routers. Because it was the same consumer technology that they used at home, they didn't see the danger in it, according to Eric Pinto, vice president of operations at DefenderSoft, a security solution provider. "After five years of providing security services, it seems like SMB customers finally get it: the security concerns are real. Data loss protection and managing your internal environment -- not only from outside threats, but inside information theft -- represent a vital piece of today's SMB security platform," Pinto says.

What Are SMBs Looking For?
If your SMB prospect is a dentist office, a tax service or any number of other businesses subject to government regulations, it's a sure bet they'll be receptive to security solutions.

"HIPAA (privacy relating to health-care records as provided in the Health Insurance Portability and Accountability Act), Sarbanes-Oxley (related to corporate governance and financial practices), financial institutions -- they all need security," says Arlin Sorensen, CEO of Heartland Technology Solutions, a regional solution provider.

Trilobyte's Wray says he has a neighbor he expects will soon become a client. She provides home healthcare and has just landed business with the Veteran's Administration. But, he says, she "has no idea" how to secure data relating to HIPAA, medical histories, Social Security and the like. "She's a small business and she will have to address these issues pretty quickly," he says.

SMBs with mobile employees represent another opportunity. "People are wrestling with security as more and more workers want and get access from everywhere for everything," says Sorensen. Mobile workers, he says, want access to e-mail, VoIP, the files they have on the company's network, information on where teammates are and collaboration tools. "They want what they have at their office desks remotely in Starbucks, hotel rooms, their cars," he notes.

The challenge, of course, is to provide easy and comprehensive remote access, while keeping the company's data secure. "As we enable all this connectivity, we give up control and the ability to know who is on the other end of the wire," says Sorensen. This opens opportunities for biometric devices, such as flash drives that require thumbprints and USB ports that require passcodes -- security devices all within reach of an SMB's budget.

Wray says he is having discussions with law firms concerned about lawyers and paralegals who, if fired, can then walk out the door with lots of sensitive information on a flash drive.

Sometimes the simplest advice can be among the most valuable and can build customer loyalty. As Sorensen notes, "The biggest risk to security is still the people at the keyboard." Sturdy firewalls and impenetrable encryption can be circumvented when users are careless and do not follow procedures. For example, Sorensen recalls an incident when an employee left his work password on a sticky note attached to his home computer, and his kids got on the company's network and played havoc. Because of this, an effective security solution goes beyond technology and involves procedures and employee training.

Profit Margins
Solution providers are attracted to the security market not just because of its growth potential and the realization of SMBs' need for it, but also because of the market's profit margins. Wray says you can earn a "minimum" of 20 percentage points of gross margin, and "50 percentage points is out there, if you bundle the security technology with the right suite of services."

"The security market is definitely lucrative," Wray says. Heartland's Sorensen is also impressed by the market's profit potential. He comments: "Security is a higher-margin business than a lot of other markets. It is also an ongoing business: You never get done, you have to consistently test, verify and monitor, so it provides an ongoing stream of income. It also provides higher profitability because it requires a higher skill set than other markets." He reports that his typical services businesses generate about a 50-percent gross margin, while security services are in the 60 to 65 percent range.

The SMB Sales Conversation
Sorensen starts his sales process by using an assessment tool that consists of a series of questions related to the client's business, security needs, and policies. This requires not just an understanding of a customer's technology, but also their business process, something not every solution provider is immediately prepared to do. "It's a pretty unique skill set," says Sorensen.

Practicing what you preach is also a selling tool for Sorensen. His firm, Heartland, uses dual-factor authentication and passwords with a physical requirement like a thumbprint for its own security. It uses this in-house system to demonstrate to potential clients what Heartland can do for them.

Sorenseon also provides a bit of irrefutable logic. "It's just a matter of getting the client to stop long enough to think about their exposure. We ask, ‘What's the impact on your company if you lose your data for two or three days?' Stopping to think about it changes their unwillingness to do something about it," he says.

A savvy marketer, Kummet of Axess uses e-mail newsletters sent to rented lists of vertical markets, webinars that educate prospects about security, three in-person client seminars per year, and partnerships with security vendors as ways of marketing security services and products.

Trilobyte promotes PGP and Juniper products to its security clientele, while Axess leads with a SonicWall platform. Other offerings exist, with many security solution providers working in the SMB space leading with vendors such as Symantec and McAfee.

Chris Squier, a security-focused technology solutions engineer with Ingram Micro, warns, though, that going after too big a job before you are well-versed in security can backfire. "There's the temptation to go for the monster opportunity, but there may be pieces of that puzzle you are not comfortable with. We (Ingram Micro) can help, but you need to get your sea legs under you before you go after the big fish."

Ingram Micro offers a range of services for solution providers looking to tackle the security market. If you're an Ingram Micro customer, call the Security Help Desk at (800) 445-5066, ext. 76102, or visit ingrammicro.com/security for assistance.