Security is no small task for SMBs

SMBs may have fewer employees than their Fortune 500 counterparts, but the security threats they face often loom just as large. Tight budgets, undereducated users, dated infrastructures, growing regulatory pressures, and shrinking IT staffs pose the most common challenges. On top of those, a proliferation of worms and viruses are successfully penetrating SMBs in an increasing number of ways. Most evidence suggests that security problems will only grow worse.

Although security remains at the top of the pile of concerns SMBs are trying to address, many have yet to implement adequate solutions because they lack resources — human, financial, and educational.

“The acquisition of security products by [SMBs] is ad hoc and tactical by nature. They typically have built their security piecemeal over time. But what they bought two years ago may not be sufficient. They rarely take a step back and analyze their complete architecture. This problem is more about education,” says Mika Krammer, a research vice president at Gartner who focuses on IT management strategies for SMBs.

HIPAA and Sarbanes-Oxley are both forcing SMBs to build higher and thicker security walls around their business. At the same time, many SMBs desire to shift their companies over to a more open, Web-based business model, making a secure network even more elusive. As SMBs put their networks and Web sites in place for conducting financial transactions, many discover the hard way that their security products are woefully lacking.

“The scary thing is, when you talk to many SMBs, you find they don’t even have acceptable virus-protection software in place, which means if they get hit, it can have a material impact on their data. Some of them are hit so hard they do not fully recover,” says Chris Ogburn, Hewlett-Packard’s director of sales development for SMBs.

For that reason, some Web-based SMBs are making sizable security investments and enforcing strict policies. “There are very few administration privileges given, so our users can’t install anything themselves without having to go through IT,” says Gene Golden, vice president in charge of information technology at Ticketsnow.com. “The [chief security officer] enforces complexity and routine updates on passwords.”

The bad news for SMB IT shops is that their security issues will only get more complicated. Not only do they have to worry about any number of viruses and worms damaging their business with attacks on their servers and desktop PCs, but an increasing number of their employees are using unauthorized mobile devices such as handheld PCs, PDAs, and cell phones.

Many of these mobile devices get synched up by individuals to access sensitive corporate data. Because IT is not aware of their existence, they are rarely properly protected. It only takes one employee exposed to malicious software while using a wireless device at Starbucks to bring it back into the corporate network, where it will have an easy path to infect systems.

“A lot of security investments are to protect from outsiders. But we are finding more and more that security breaches are from people on the inside who carry viruses back in. It is not malicious, but because a lot of small and midsized companies don’t have policies in place or lack robust security environments, they are at risk,” Gartner’s Krammer says.

Some IT shops, however, keep close tabs on users who leave the premises with mobile equipment. “While we do have security on all servers and laptops and around the perimeter, we discourage [employees] from taking electronic devices outside the clinic. We will discuss it on a case-by-case basis and will make exceptions if we feel it is merited,” says Todd Zantow, network administrator at The Prairie Clinic. Securing an SMB environment is as much a social problem as a technical one. Not only are policies and procedures needed to govern how technology is bought and implemented, but also to govern users.

Realizing these necessities, Microsoft established its Security Guidance Center Web site last year, where smaller companies can register for training, download security tools, and sign up for things such as Microsoft’s e-mail-based security alerts and newsletters.

“Bottom line is people are looking for that silver bullet. What we are trying to do in our education [of SMBs] is get them to understand that security is an ongoing process,” explains Mario Jaurez, product manager at Microsoft’s security business and technology unit.

Thankfully, the number of options available for SMBs that want to practice better security is increasing. More security appliances are coming to market, relationships with services organizations are growing more common, and upgraded managed security services are expected to arrive later this year.

Trying to steer clear of one-off product solutions (often an SMB’s downfall), several top-tier suppliers are aggressively pushing multifunction appliances to address a number of specific security concerns.

“More and more SMBs are seeing [security appliances] as a solution. Instead of installing firewall software, which can be a daunting task for shops without a large IT staff, they prefer a more complete solution that is just plug-and-play, and that you can typically get for under $500,” says David Lonardo, Symantec’s technical product manager for entry-level appliances.

Higher-end SMBs with larger IT budgets and staffs — which might even include a chief security officer — are becoming more sophisticated in their approach to buying security products. These companies tend to think more strategically about security, and so invest in solutions that allow them to remotely manage security procedures. Remote management reflects a larger trend toward on-demand or utility computing that’s occurring across IT organizations of larger-sized companies as well.

More and more SMBs are starting to believe in the security benefits of partnering with large services organizations, such as IBM’s Global Services unit and HP’s services arm, too. These mammoth organizations show SMBs how to strategically implement and manage security solutions, as well as what policies and procedures they should put into practice.

“It is not just about security for midsized shops anymore, but business continuity,” says Stuart McIrvine, director of corporate security strategy at IBM Global Services. “[SMBs] need help dealing with not just threats, but managing the environment — whether that is managing users, classifying data, or giving access to applications. They have to think through those issues about what really forms the foundation infrastructure for their business.”

Some vendors are betting that managed services will be the next big thing when it comes to addressing security concerns among SMBs. HP, IBM, and Microsoft, among others, are readying new services, to debut later this year, which will provide a means to fix what they perceive as a lack of security skills and education at SMBs.

But regardless of which path SMBs take to better secure their networks, one thing is certain: Getting there is bound to be expensive. Market researcher IDC predicts that SMBs will spend an impressive $360 billion on IT products in 2005.