"Too few SMBs can realistically say that they make more than a token effort at achieving such a posture," Michael Cobb, founder and managing director of security consultancy Cobweb Applications, wrote recently in a Dark Reading/Information Week Reports piece, 5 Security Tools Every Small Business Must Have.
[How do SMBs go about shopping for an MSSP? See How To Pick The Best MSSP For Your SMB .]
According to recent figures out from Kaspersky Lab this month, the average SMB spends just $10,000 a year on security, or about an average of under $36 per employee. According to the survey, antivirus reigned as the top spending priority for these organizations, with 67 percent of respondents spending budget on AV as compared with other technologies like data encryption, which only saw traction from 40 percent of SMBs.
Anecdotally, Doug Landoll of Assero Security says that an antivirus-centric mentality among SMBs is par for the course. His company specializes in performing risk assessments for SMBs pressed by larger B2B customers to offer transparency around security controls before either party does business for one another. Time and time again, his SMB clients are shocked to find how much more these assessments ask for beyond antivirus and other endpoint protection.
"A lot of SMB security is mostly geared around endpoint security. That's it," he says. "Well, that's just one or two questions on a thirty-question questionnaire and they're like, "What is this network segmentation? What do they mean about policies?' That's when they realize security is about a whole lot more than they thought."
When SMBs rely solely on antivirus technology, they're effectively accepting a whole lot of risk. It's been an open secret among security industry insiders for a while, but the news is just now starting to trickle out to the mainstream outlets SMB decision-makers are most exposed to: antivirus technology only snares small percentage of the new threats that are released in the wild each day. A recent study by Imperva cited in the New York Times, showed that when 40 antivirus products were tested with 82 new computer viruses common in the wild, these protection technologies detected less than 5 percent of those pieces of malware.
"Not investing in additional endpoint security solutions is actually a false economy – in reality, they are ignoring and therefore effectively accepting 68 percent of the risk and the associated costs," says Rees Johnson, senior vice president of product management for McAfee Labs, citing data from analysts with Aberdeen Group. "Endpoint security initiatives should adopt a more comprehensive approach to protecting the organization's platforms, networks, applications and data."
But many SMB decision-makers don't realize what accepting that level of risk really means for their business. Not only are attackers seeking to hack small businesses to perpetuate the kind of bank fraud that most organizations normally associate with malware, but they're looking at SMBs as valuable sources of consumer data, intellectual property, and as beachheads into longer-term attacks against corporate customers serviced by these more vulnerable smaller organizations.
"As everyone is becoming more interconnected, connected business partners become at-risk due to holes in another connected partners' security. The weak link in the chain, so to speak," says John Biglin, CEO of Interphase Systems, who warns that this weakness puts SMBs very livelihoods at risk. "We have seen clients get audited by their partners, and have also seen major contracts lost because of inadequate controls."
In order to ensure that SMBs don't let the threats that bypass antivirus slip through the cracks, they have got to start adding to their security arsenal.
"Even if you are a small or medium-size business, it is important to have IT security policies in place: around data-loss prevention, around password-complexity, around encryption, around mobile device usage, and so on," says Yuk Fai Chan, consultant with Security Compass. "Show that you have such policies in place and that you have controls to enforce them."
According to Cobb, at bare minimum organizations should bolster their security protections beyond antivirus to also include well-configured and updated network firewalls, security configuration tools designed to patch systems and limit vulnerabilities, encryption technologies and automated backup and recovery tools.
Additionally, SMBs can't afford to forget that external hacking threats aren't the only ones they're contending with.
"Internal threat agents can be anyone who has access to your physical premises and internal company network – guests, contractors, or even disgruntled employees," Chan says. "It is equally important to have proper access control on your internal network, and to perform regular assessments of your IT infrastructure from an internal perspective."
In fact, assessment should be the name of the game for SMBs seeking to elevate their strategies.
"Know your weaknesses by performing vulnerability scans regularly and penetration testing after major product upgrades," says John Whiteside of Alert Logic, "attackers are looking for targets of opportunity such as unpatched servers or exposed services - find and correct them before they do.
Since few SMBs have the internal resources necessary to evaluate how well they're really doing at protecting themselves or to take steps to make improvements, outside help can definitely come in handy.
"Fortunately, many IT security processes lend themselves to being outsourced: They are cheaper for a specialist company to deliver than for a company to provide with its own staff and equipment," wrote Cobb in another in Dark Reading/Information Week Reports piece, 6 Security Services Every Small Business Must have, which offers a number of valuable insights for SMBs shopping for the right security service providers. "Outsourcing security can actually lead to better security, with the potential added benefits of reduced capital and operating expenses."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.