Risk
2/10/2011
02:11 PM
50%
50%

Security Costs SMBs 16 Days Per Month

Managing on-site security systems takes up more than 120 hours of IT staff time each month, according to Webroot.

Top 10 SMB Predictions for 2011
(click image for larger view)
Slideshow: Top 10 SMB Predictions For 2011

IT pros at small and midsize businesses (SMBs) spend 127 hours every month managing their on-premises security infrastructure, according to a new survey released by Webroot.

That equates roughly to 16 eight-hour workdays devoted to tasks such as updating software and hardware, reimaging infected machines, managing end-user policies, and installing patches. Software and hardware updates, for example, take up more than 18 hours of IT personnel's time each month.

While the study included larger companies, too -- its 820 respondents worked for firms with 100 to 5,000 employees -- Webroot chief technology officer Gerhard Eschelbeck said that the numbers were remarkably consistent across organizational size. In other words, SMBs are spending as much time as larger companies managing their on-site security -- only with fewer people and less money. That means security maintenance eats up a much larger slice of the resource pie at smaller firms.

"Smaller companies usually have less IT resources and less resources dedicated to security, so it certainly becomes a double whammy for those organizations," Eshelbeck said in an interview. "An organization with a 100 people, by design has a smaller IT department, security department, than an organization with 1,000 people. Clearly from that perspective, it hits them doubly hard."

While SMBs might make less likely bulls-eyes for targeted attacks, they deal with the same broader threat landscape -- such indiscriminately launched malware -- as big business and big government.

"The fact that they also are dealing with a similar amount of infections and time spent is clearly an indicator that smaller companies are impacted harder," Eshelbeck said.

The survey also found that mobile workers -- and the devices that keep them connected to the virtual office -- pose the fastest-growing concern for IT managers charged with keeping company networks secure. One in three respondents listed mobile devices, from laptops to tablets to smartphones, as their chief challenge in the year ahead. Data breaches and malware threats ranked second and third, respectively, as the top security challenges for 2011.

"Every mobile device is a potential access point for viruses, for any other piece of malware," Eshelbeck said. Mobile devices "really add a completely new vector for infection if they're always on and permanently connected outside of the corporate network."

Some 40% of respondents said they plan to implement a cloud-based security system in 2011 or 2012, listing reduced IT burdens, simplified maintenance, improved malware defenses, and mobile security among their top motivations. Webroot, of course, has a vested interest in these survey results: The company provides Web-based security services. The survey was conducted by a third party, the company said.

In Eshelbeck's view -- based on 20 years in security and 10 in Web-based software -- SMBs drove early growth of cloud-based security and other hosted software, but larger organizations are now bridging the gap.

"Clearly, the revolution started in the [SMB] segment," Eshelbeck said. "Over the years, it has also grown up to the larger organizations."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.