Security Costs SMBs 16 Days Per Month

Top 10 SMB Predictions For 2011

IT pros at small and midsize businesses (SMBs) spend 127 hours every month managing their on-premises security infrastructure, according to a new survey released by Webroot.

That equates roughly to 16 eight-hour workdays devoted to tasks such as updating software and hardware, reimaging infected machines, managing end-user policies, and installing patches. Software and hardware updates, for example, take up more than 18 hours of IT personnel's time each month.

While the study included larger companies, too -- its 820 respondents worked for firms with 100 to 5,000 employees -- Webroot chief technology officer Gerhard Eschelbeck said that the numbers were remarkably consistent across organizational size. In other words, SMBs are spending as much time as larger companies managing their on-site security -- only with fewer people and less money. That means security maintenance eats up a much larger slice of the resource pie at smaller firms.

"Smaller companies usually have less IT resources and less resources dedicated to security, so it certainly becomes a double whammy for those organizations," Eshelbeck said in an interview. "An organization with a 100 people, by design has a smaller IT department, security department, than an organization with 1,000 people. Clearly from that perspective, it hits them doubly hard."

While SMBs might make less likely bulls-eyes for targeted attacks, they deal with the same broader threat landscape -- such indiscriminately launched malware -- as big business and big government.

"The fact that they also are dealing with a similar amount of infections and time spent is clearly an indicator that smaller companies are impacted harder," Eshelbeck said.

The survey also found that mobile workers -- and the devices that keep them connected to the virtual office -- pose the fastest-growing concern for IT managers charged with keeping company networks secure. One in three respondents listed mobile devices, from laptops to tablets to smartphones, as their chief challenge in the year ahead. Data breaches and malware threats ranked second and third, respectively, as the top security challenges for 2011.

"Every mobile device is a potential access point for viruses, for any other piece of malware," Eshelbeck said. Mobile devices "really add a completely new vector for infection if they're always on and permanently connected outside of the corporate network."

Some 40% of respondents said they plan to implement a cloud-based security system in 2011 or 2012, listing reduced IT burdens, simplified maintenance, improved malware defenses, and mobile security among their top motivations. Webroot, of course, has a vested interest in these survey results: The company provides Web-based security services. The survey was conducted by a third party, the company said.

In Eshelbeck's view -- based on 20 years in security and 10 in Web-based software -- SMBs drove early growth of cloud-based security and other hosted software, but larger organizations are now bridging the gap.

"Clearly, the revolution started in the [SMB] segment," Eshelbeck said. "Over the years, it has also grown up to the larger organizations."