Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:23 PM

What Antivirus Shortcomings Mean For SMBs

Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential

As criminals continue to hone their digital attacks against SMBs, smaller organizations will have to do more than put up token cybersecurity defenses if they want to protect their intellectual property, their customers, and their cash flow, experts warn. And step one in giving up the security charades is admitting that there needs to be more to an annual security budget than a few dollars squirreled away for antivirus software renewals.

"Too few SMBs can realistically say that they make more than a token effort at achieving such a posture," Michael Cobb, founder and managing director of security consultancy Cobweb Applications, wrote recently in a Dark Reading/Information Week Reports piece, 5 Security Tools Every Small Business Must Have.

[How do SMBs go about shopping for an MSSP? See How To Pick The Best MSSP For Your SMB .]

According to recent figures out from Kaspersky Lab this month, the average SMB spends just $10,000 a year on security, or about an average of under $36 per employee. According to the survey, antivirus reigned as the top spending priority for these organizations, with 67 percent of respondents spending budget on AV as compared with other technologies like data encryption, which only saw traction from 40 percent of SMBs.

Anecdotally, Doug Landoll of Assero Security says that an antivirus-centric mentality among SMBs is par for the course. His company specializes in performing risk assessments for SMBs pressed by larger B2B customers to offer transparency around security controls before either party does business for one another. Time and time again, his SMB clients are shocked to find how much more these assessments ask for beyond antivirus and other endpoint protection.

"A lot of SMB security is mostly geared around endpoint security. That's it," he says. "Well, that's just one or two questions on a thirty-question questionnaire and they're like, "What is this network segmentation? What do they mean about policies?' That's when they realize security is about a whole lot more than they thought."

When SMBs rely solely on antivirus technology, they're effectively accepting a whole lot of risk. It's been an open secret among security industry insiders for a while, but the news is just now starting to trickle out to the mainstream outlets SMB decision-makers are most exposed to: antivirus technology only snares small percentage of the new threats that are released in the wild each day. A recent study by Imperva cited in the New York Times, showed that when 40 antivirus products were tested with 82 new computer viruses common in the wild, these protection technologies detected less than 5 percent of those pieces of malware.

"Not investing in additional endpoint security solutions is actually a false economy – in reality, they are ignoring and therefore effectively accepting 68 percent of the risk and the associated costs," says Rees Johnson, senior vice president of product management for McAfee Labs, citing data from analysts with Aberdeen Group. "Endpoint security initiatives should adopt a more comprehensive approach to protecting the organization's platforms, networks, applications and data."

But many SMB decision-makers don't realize what accepting that level of risk really means for their business. Not only are attackers seeking to hack small businesses to perpetuate the kind of bank fraud that most organizations normally associate with malware, but they're looking at SMBs as valuable sources of consumer data, intellectual property, and as beachheads into longer-term attacks against corporate customers serviced by these more vulnerable smaller organizations.

"As everyone is becoming more interconnected, connected business partners become at-risk due to holes in another connected partners' security. The weak link in the chain, so to speak," says John Biglin, CEO of Interphase Systems, who warns that this weakness puts SMBs very livelihoods at risk. "We have seen clients get audited by their partners, and have also seen major contracts lost because of inadequate controls."

In order to ensure that SMBs don't let the threats that bypass antivirus slip through the cracks, they have got to start adding to their security arsenal.

"Even if you are a small or medium-size business, it is important to have IT security policies in place: around data-loss prevention, around password-complexity, around encryption, around mobile device usage, and so on," says Yuk Fai Chan, consultant with Security Compass. "Show that you have such policies in place and that you have controls to enforce them."

According to Cobb, at bare minimum organizations should bolster their security protections beyond antivirus to also include well-configured and updated network firewalls, security configuration tools designed to patch systems and limit vulnerabilities, encryption technologies and automated backup and recovery tools.

Additionally, SMBs can't afford to forget that external hacking threats aren't the only ones they're contending with.

"Internal threat agents can be anyone who has access to your physical premises and internal company network – guests, contractors, or even disgruntled employees," Chan says. "It is equally important to have proper access control on your internal network, and to perform regular assessments of your IT infrastructure from an internal perspective."

In fact, assessment should be the name of the game for SMBs seeking to elevate their strategies.

"Know your weaknesses by performing vulnerability scans regularly and penetration testing after major product upgrades," says John Whiteside of Alert Logic, "attackers are looking for targets of opportunity such as unpatched servers or exposed services - find and correct them before they do.

Since few SMBs have the internal resources necessary to evaluate how well they're really doing at protecting themselves or to take steps to make improvements, outside help can definitely come in handy.

"Fortunately, many IT security processes lend themselves to being outsourced: They are cheaper for a specialist company to deliver than for a company to provide with its own staff and equipment," wrote Cobb in another in Dark Reading/Information Week Reports piece, 6 Security Services Every Small Business Must have, which offers a number of valuable insights for SMBs shopping for the right security service providers. "Outsourcing security can actually lead to better security, with the potential added benefits of reduced capital and operating expenses."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/25/2013 | 8:35:31 PM
re: What Antivirus Shortcomings Mean For SMBs
AntiVirus does not provide anything close to true security coverage. You need controls in place at every level. This does not just mean firewalls and IPSes. It means auditing password usage, network segmentation, propper access controls. These are not new concepts. People have been saying these same things for a long time. AntiVirus only works on the endpoint to try and protect against certain types of threats. If you are relying on AV to protect you, that means the attacker is already accessing your machines. If they have the access, getting around AV is not a particularly difficult task for any delberate attacker. AV mgiht protect against accidental exposure from malware floating around the internet. It will not, however, secure you from a planned and deliverate attack. there are any number of ways to bypass AV solutions. For more information on AV evasion, you can check out the blog post I did at https://community.rapid7.com/c... or check my recent webcast on AV evasion with Metasploit when the recording becomes available at http://www.rapid7.com/resource.... You will see that it is easy for an attacker to beat AV, and if you are relying on AV to save you, you have already lost.
User Rank: Moderator
1/24/2013 | 7:50:04 PM
re: What Antivirus Shortcomings Mean For SMBs
Larry Seltzer's comment is spot on! For example, SMB's need- an effective application whitelisting & O/S integrity monitoring solution like Bit9 Parity to control exactly what can execute on their Windows endpoints and to identify unauthorized changes to system files, but Bit9 licensing starts at 100 users and requires a security specialist to administer it effectively. Similar security products & appliances are also scaled & priced beyond the means of many SMB's, so small businesses, like consumers, are left "outside the castle walls" to fend for themselves. Not surprisingly, cybercriminals use the millions of poorly defended SMB and consumer PC's as pwned elements of their vast botnets OR the easiest data theft victims imaginable. Still, I wonder how well expensive, high-end SME security solutions actually scale and how much attack surface shielding they actually provide in an evolving threat landscape. Seems like every day another reasonably well defended organization is successfully hacked into by the bad guys. What is this telling us?
Larry Seltzer - UBM Tech
Larry Seltzer - UBM Tech,
User Rank: Apprentice
1/24/2013 | 6:20:52 PM
re: What Antivirus Shortcomings Mean For SMBs
The smaller the business the more resistant to adding budget for something that doesn't actually produce anything. It's tough to make the case about network threats to such people when they don't even really understand the antivirus they are willing to deploy.

And for a long time the industry pretty much blew off SMBs in their products. Business versions were very complex and expensive and consumer versions were inadequate and unmanageable. I know the AV vendors got better about this many years ago, but I wonder about other levels of protection. Almost any SMB will need a consultant for this stuff anyway.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Are You One COVID-19 Test Away From a Cybersecurity Disaster?
Alan Brill, Senior Managing Director, Cyber Risk Practice, Kroll,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-27
All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) [DNP] via trim().
PUBLISHED: 2020-10-27
Multiple cross-site scripting (XSS) vulnerabilities in konzept-ix publiXone before 2020.015 allow remote attackers to inject arbitrary JavaScript or HTML via appletError.jsp, job_jacket_detail.jsp, ixedit/editor_component.jsp, or the login form.
PUBLISHED: 2020-10-27
A RemoteFunctions endpoint with missing access control in konzept-ix publiXone before 2020.015 allows attackers to disclose sensitive user information, send arbitrary e-mails, escalate the privileges of arbitrary user accounts, and have unspecified other impact.
PUBLISHED: 2020-10-27
Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9.1R4 on Windows reveals users' passwords if Save Settings is enabled.
PUBLISHED: 2020-10-27
An XML external entity (XXE) vulnerability in Pulse Connect Secure (PCS) before 9.1R9 and Pulse Policy Secure (PPS) before 9.1R9 allows remote authenticated admins to conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.