SMBs Getting Proactive About Security
GETTING PROACTIVE ABOUT SECURITY
By Mark Brunelli, News Writer
Small- to medium-sized businesses, forever saddled with limited
resources, traditionally have reacted to security problems after the
fact. While this remains the predominant tactic today, experts say
that more SMBs realize the benefits of a more strategic, policy-based
approach to security.
Solid security polices give SMBs the obvious benefit of limiting
companies' susceptibility to viruses, worms and internal threats. But
perhaps more importantly, say experts, proper policy management and
enforcement can save companies money that might eventually have been
spent on disaster recovery services or additional bandwidth to make
up for out-of-control e-mail usage.
Experts agree that policies should cover everything from patch
management and data center physical security to employee use of the
Internet and related communications technologies. They say policies
should be strategically aligned with the goals and requirements of
the individual company. That strategic alignment, they add, can be
achieved by getting IT departments to work closely with human
resources, upper management and end users in drafting the policies.
"When it comes to security policies, it has really been something
that [SMBs] may have had in the back of their minds," said Helen
Chan, a senior analyst with Yankee Group's small and medium business
strategies unit. "To the extent that they devise these policies to
drive purchases, I don't think they're quite there yet. But I do
think that trend is growing."
Experts say it's no wonder SMBs are looking gradually to security
policies as an additional means of threat avoidance because the
number of those threats is exploding.
Cupertino, Calif.-based security vendor Symantec Corp. reports that
the number of attacks on Windows machines alone during the first half
of 2004 jumped more than four times compared to the same period last
year. Symantec documented nearly 4,500 worms and viruses that
targeted Windows during the 2004 timeframe.
Research also confirms that security is a top priority at SMBs.
According to a recent Forrester Research survey of decision makers
among 684 North American SMBs, 75% plan to purchase new security
technologies within the next year.
A well-written security policy is useless if it isn't drafted,
implemented, managed and enforced properly. Experts point out that
software is available to help out in these areas.
Companies that sell policy management software include Lexington,
Mass.-based Liquid Machines Inc. and Sherpa Software Group L.P. of
Bridgeville, Pa. Both companies sell software designed to enforce
e-mail rules and other policies.
The biggest threats to enterprise IT security come from the Internet.
Experts say that is why it's so important to have strong security
policies in place governing employee use of the Web, e-mail and
instant messaging (IM).
Michael Osterman, founder of Black Diamond, Wash.-based Osterman
Research, a company that focuses on messaging technologies, said that
most SMBs do take the appropriate steps of installing antivirus and
firewall software. But, he added, many fail to implement more
comprehensive internal usage policies, and this can lead to problems.
Osterman said that most companies will want to have a policy in place
that limits the size of e-mail attachments that employees are allowed
to send. This saves bandwidth and in some cases can prevent system
Osterman also believes that companies should lay out policies
restricting Internet use. This cuts down employee visits to
pornographic or other potentially problematic Web sites. This has a
two-pronged effect of limiting a company's exposure to malware and
averting possible sexual harassment litigation.
A comprehensive policy would also include information about the
technologies the company uses to deal with viruses and spam,
according to Osterman. The policies should be clear about how
antivirus and antispam technologies are to be managed.
"When a new virus is introduced, a lot of small companies are very
susceptible because they don't maintain their virus defenses like
they should," Osterman said.
Companies will also want to have clear policies with regard to
instant messaging technologies and their usage. Osterman believes
that SMBs should consider purchasing enterprise-grade IM software,
which generally has enhanced security features over consumer-grade
software such as AOL Instant Messenger and Yahoo Messenger. Companies
that sell enterprise grade IM software include IBM Lotus and Ipswitch
Inc., based in Lexington, Mass.
SMBs opting to stick with consumer grade IM software should consider
third party monitoring and security tools to add extra layers of
protection, the analyst suggested. Companies that sell such products
include SpectorSoft Corp. of Vero Beach, Fla. and Wellesley,
Mass.-based DYS Analytics Inc.
"You can get some pretty nasty viruses, worms and Trojans coming in
through IM," Osterman warned.
*Sounding the SMB security alarm
*Security and the summer slump
*Battling viruses SMB-style