SMBs just don't know what's bad for them.
With its new "State of Internet Security" survey, Webroot
Software Inc., a Boulder, Colo.-based security software vendor, has
revealed some troubling news about how small and medium-sized
businesses (SMBs) protect themselves from
Web-based threats.
 | | | | | SMBs don't have big IT
departments and they don't fully understand all the different
threats.
Avivah Litan
research directorGartner
Inc. |
| | | | | |
| |
|
Of the 305 U.S. companies Webroot surveyed, viruses and worms were
rated as the most serious threat to their security. Fifty-eight
percent called
viruses and
worms a very or extremely serious threat. Only 45% saw
spyware as equally critical.
It's that failure to take spyware as seriously as viruses and
worms that's putting SMBs in danger.
"Whether it's the consumer marketplace or the SMB market, users
have been cautious over many years now about opening email
attachments because of the virus threat," said Peter Watkins, CEO
of Webroot. "But if you look at how threats have evolved over time,
experts will tell you that the virus issue is largely contained.
The threat has migrated substantially over to spyware issues.
Spyware has very different characteristics, but people think
viruses first, and other threats after that."
Watkins said viruses tend to announce their presence. When they
infect, they overwhelm desktops and corporate systems and clog the
network. Spyware is more clandestine. Its designers don't want
businesses to detect them so they lay low and do their damage
without being noticed until it's far too late. So spyware detection
is often an afterthought to SMBs.
But spyware most certainly shouldn't be an afterthought. Just
looking at the reporting infection rates in Webroot's survey bear
that out. While it is true that viruses are still a threat,
spyware appears to be causing more trouble.
More than 61% of SMBs reported that they had been infected by
viruses in the last year, but 71.5% said they had been infected
by spyware.
These high rates of infection occurred even though 96.4% of SMBs
said they had an antivirus technology installed. Webroot said this
is because most antivirus technologies don't have the detailed
intelligence needed to deflect the full spectrum of threat beyond
standard viruses.
Webroot's research also showed that spyware is more costly than
viruses. Across the board, more SMBs reported that spyware had
compromised confidential data, disrupted business activities,
drained IT resources, reduced employee productivity, slowed system
performance and threatened sensitive online transactions than SMBs
that reported similar problems caused by viruses. Viruses were more
costly to SMBs than spyware in only one area of the business --
causing lost sales. But in this category it was only by a slight
margin, 47.5% to 47.2%.
"It's strange," said Avivah Litan, vice president and research
director at Gartner Inc. in Stamford, Conn. "I've found the same
phenomenon with consumers. They're more concerned about viruses
than they are about spyware and malware. It is just awareness.
There's just so much advertising about viruses. SMBs don't have big
IT departments, and they don't fully understand all the different
threats."
Litan said she saw this vividly illustrated at the Gartner
Symposium ITxpo in Orlando, Fla., last week. She said IronPort, a
San Bruno, Calif.-based competitor to Webroot, got permission from
Gartner to sniff the IP traffic at the conference. IronPort found
that 2% of the traffic coming from conference attendees' laptops
consisted of malware.
William Bell, director of information security at Tempe,
Ariz.-based EC Suite LLC, a 320-person e-commerce hosting company,
uses an application "whitelist" approach with Sanctuary Application
Control from Lumension Security Inc. that is opposite to the basic
antivirus strategy that so many SMBs are using.
While most antivirus technologies basically scan incoming code
against a blacklist of known viruses, Bell uses his Lumension
product to maintain a whitelist of approved applications for his
end users. If someone tries to execute something that is
unsanctioned, Bell's system refuses to allocate memory to the
program. In effect, spyware just can't start, no matter how many
times his end users might accidentally expose his environment to
it.
"It is something I have found to be well worth the extra amount
of effort on my team's part to deploy this solution," Bell said.
"With an antivirus solution there is no extra effort. Computers get
updated by live update [by the vendor]. There is no administrative
overhead. In this scenario, the maintainers of the program have to
maintain the whitelist. It's about a five- to seven-minute window
per new application."
Of course, Bell has seven dedicated information security
professionals working under him. Most SMBs don't have such a
luxury. He said he knows many other medium-sized companies have
small security departments.
"I find it surprising that there are companies that feel they
are doing their due diligence with hindered staff," he said. "I
know a few companies north of 1,500 to 2,000 employees who have
only two people in their IT security teams. I guarantee those
companies are not doing their due diligence. They're running just
what is absolutely necessary. And they will pay for it."
"The SMB segment is in a unique situation because they have
certain profiles that are similar to larger companies," Watkins
said. "They are exposed to the same issues, but they don't have the
same resources."
In fact, nearly 58% of U.S. SMBs surveyed by Webroot said they have
fewer than 10 people on their IT teams.
"In the typical small business you find that problems don't get
fixed until it becomes an urgent issue," Watkins said. "Waiting
until you've actually been hurt is exactly what the bad guys want.
They try to make it so that you are never aware that you are
compromised."
"You don't need great IT resources to protect against spyware,"
Litan said. "You just need to know to protect against it. I expect
there to be a lot of awareness rising in the next few years."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer