Security survey -- SMBs under attack

A new Forrester Research survey says SMBs aren't spending enough on security -- and many of them aren't sure where to start.

When it comes to IT security, SMBs usually neglect their needs until a crisis arises.

Smaller companies intent on growing their profits often focus so closely on the business that critical IT issues, like data security, get pushed aside. Some IT consultants warn that the savings SMBs receive by skimping on security can be eaten up by the cost of even a small attack.

A recent Forrester Research Inc. survey of 93 technology decision makers at North American SMBs shows that 56% of SMBs spend less than 4% of their IT budget on security, with another 12% uncertain of the amount they spend on security. Forrester defines SMBs as companies with fewer than 5,000 employees.

Security is a growing concern for smaller companies, which must deal with the same viruses, worms, spyware and spam as larger companies. Also, security has become an issue because of pressure to comply with government regulations intended for larger companies, like the Sarbanes-Oxley Act. Smaller companies must follow such regulations in order to do business with larger companies.

"Obviously, they don't have the big target on their backs that a larger organization has, but we're seeing a growth in targeted attacks," said Paul Stamp, an analyst with Cambridge, Mass.-based Forrester Research Inc. Targeted attacks mean malicious hackers aim to steal personal and financial information from specific companies they see as vulnerable, rather than sending out widespread blasts of malware. "A small organization can still be rich pickings for a targeted attack," Stamp said.

But while security is consistently listed as a top concern by SMB CIOs, security spending tends to be toward the bottom of their budget priorities. Security tends to be a "reactive" purchase for companies in general and SMBs in particular, Stamp said.

SMBs with fewer dollars tend to spend a smaller percentage of their budgets on security than larger companies, Stamp said, though exactly what purchases fall into the security category can be hard to define.

Attacks in general continue to increase as well. According to Cupertino, Calif.-based security vendor Symantec Corp., the number of attacks on Windows PCs during the second half of 2004 increased by 64% over the first six months of that year. Symantec documented almost 17,500 threats targeting Windows through the end of 2004.

Bradley J. Dinerman, president of the New England Information Security Group and vice president of IT at Newton, Mass.-based MIS Alliance, said SMBs gamble their security for the sake of a small savings in the bottom line.

"They know there are threats out there; they often tend to turn a blind eye or only want a solution if it's free," Dinerman said. "They think, 'well, we haven't gotten hit yet.' It's like going against the odds in Vegas."

SMBs are so focused on costs that Dinerman said he had one client reluctant to pay for the labor costs of a half hour of installation of Microsoft's free Windows Server Update Services (WSUS), which automatically downloads patches and installs them onto desktops.

Dinerman advised another client that had installed antivirus software to purchase a product to scan incoming e-mail. The client refused, thinking the antivirus software was sufficient protection, and days later a single malicious e-mail attachment resulted in the client paying more in repair work than the price of the product.

"Most people have a hodgepodge of security technologies, but the problem is worse for smaller guys because they have fewer people to deal with the mess," Stamp said.

Regional managed security providers like Perimeter Internetworking, SecureWorks Inc. and Message Secure Corp. are other options for SMBs to consider, Stamp said. Dinerman's preferred vendor is GFI Software Ltd., with its MailEssentials and MailSecurity software.

When planning a security purchase, Stamp advises SMBS to consider how the new product will mesh with existing systems, and how much time and effort it will take to run everything as a whole. Sometimes bringing in something new means dropping something else, like deciding not to renew an old license.

"There's always going to be the next big thing you have to buy, but you also have to manage the complexity of your environment," Stamp said. "Balance the stuff that is new and what you have to buy to solve a particular problem with the stuff you have to refresh to make things easier for you. Balance new purchases against old stuff you refresh."

Read more on IT for small and medium-sized enterprises (SME)