With its new "State of Internet Security" survey, Webroot Software Inc., a Boulder, Colo.-based security software vendor, has revealed some troubling news about how small and medium-sized businesses (SMBs) protect themselves from Web-based threats.
It's that failure to take spyware as seriously as viruses and worms that's putting SMBs in danger.
"Whether it's the consumer marketplace or the SMB market, users have been cautious over many years now about opening email attachments because of the virus threat," said Peter Watkins, CEO of Webroot. "But if you look at how threats have evolved over time, experts will tell you that the virus issue is largely contained. The threat has migrated substantially over to spyware issues. Spyware has very different characteristics, but people think viruses first, and other threats after that."
Watkins said viruses tend to announce their presence. When they infect, they overwhelm desktops and corporate systems and clog the network. Spyware is more clandestine. Its designers don't want businesses to detect them so they lay low and do their damage without being noticed until it's far too late. So spyware detection is often an afterthought to SMBs.
But spyware most certainly shouldn't be an afterthought. Just looking at the reporting infection rates in Webroot's survey bear that out. While it is true that viruses are still a threat, spyware appears to be causing more trouble. More than 61% of SMBs reported that they had been infected by viruses in the last year, but 71.5% said they had been infected by spyware.
These high rates of infection occurred even though 96.4% of SMBs said they had an antivirus technology installed. Webroot said this is because most antivirus technologies don't have the detailed intelligence needed to deflect the full spectrum of threat beyond standard viruses.
Webroot's research also showed that spyware is more costly than viruses. Across the board, more SMBs reported that spyware had compromised confidential data, disrupted business activities, drained IT resources, reduced employee productivity, slowed system performance and threatened sensitive online transactions than SMBs that reported similar problems caused by viruses. Viruses were more costly to SMBs than spyware in only one area of the business -- causing lost sales. But in this category it was only by a slight margin, 47.5% to 47.2%.
"It's strange," said Avivah Litan, vice president and research director at Gartner Inc. in Stamford, Conn. "I've found the same phenomenon with consumers. They're more concerned about viruses than they are about spyware and malware. It is just awareness. There's just so much advertising about viruses. SMBs don't have big IT departments, and they don't fully understand all the different threats."
Litan said she saw this vividly illustrated at the Gartner Symposium ITxpo in Orlando, Fla., last week. She said IronPort, a San Bruno, Calif.-based competitor to Webroot, got permission from Gartner to sniff the IP traffic at the conference. IronPort found that 2% of the traffic coming from conference attendees' laptops consisted of malware.
William Bell, director of information security at Tempe, Ariz.-based EC Suite LLC, a 320-person e-commerce hosting company, uses an application "whitelist" approach with Sanctuary Application Control from Lumension Security Inc. that is opposite to the basic antivirus strategy that so many SMBs are using.
While most antivirus technologies basically scan incoming code against a blacklist of known viruses, Bell uses his Lumension product to maintain a whitelist of approved applications for his end users. If someone tries to execute something that is unsanctioned, Bell's system refuses to allocate memory to the program. In effect, spyware just can't start, no matter how many times his end users might accidentally expose his environment to it.
"It is something I have found to be well worth the extra amount of effort on my team's part to deploy this solution," Bell said. "With an antivirus solution there is no extra effort. Computers get updated by live update [by the vendor]. There is no administrative overhead. In this scenario, the maintainers of the program have to maintain the whitelist. It's about a five- to seven-minute window per new application."
Of course, Bell has seven dedicated information security professionals working under him. Most SMBs don't have such a luxury. He said he knows many other medium-sized companies have small security departments.
"I find it surprising that there are companies that feel they are doing their due diligence with hindered staff," he said. "I know a few companies north of 1,500 to 2,000 employees who have only two people in their IT security teams. I guarantee those companies are not doing their due diligence. They're running just what is absolutely necessary. And they will pay for it."
"The SMB segment is in a unique situation because they have certain profiles that are similar to larger companies," Watkins said. "They are exposed to the same issues, but they don't have the same resources."
"In the typical small business you find that problems don't get fixed until it becomes an urgent issue," Watkins said. "Waiting until you've actually been hurt is exactly what the bad guys want. They try to make it so that you are never aware that you are compromised."
"You don't need great IT resources to protect against spyware," Litan said. "You just need to know to protect against it. I expect there to be a lot of awareness rising in the next few years."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer