SMBs, forever saddled with limited resources, traditionally have reacted to security problems after the fact. While this remains the predominant tactic today, experts say that more SMBs realize the benefits of a more strategic, policy-based approach to security.
Solid security polices give SMBs the obvious benefit of limiting companies' susceptibility to viruses, worms and internal threats. But perhaps more importantly, say experts, proper policy management and enforcement can save companies money that might eventually have been spent on disaster recovery services or additional bandwidth to make up for out-of-control email usage.
Experts agree that policies should cover everything from patch management and data center physical security to employee use of the Internet and related communications technologies. They say policies should be strategically aligned with the goals and requirements of the individual company. That strategic alignment, they add, can be achieved by getting IT departments to work closely with human resources, upper management and end users in drafting the policies.
"When it comes to security policies, it has really been something that (SMBs) may have had in the back of their minds," said Helen Chan, a senior analyst with Yankee Group's small and medium business strategies unit. "To the extent that they devise these policies to drive purchases, I don't think they're quite there yet. But I do think that trend is growing."
More security threats all the time
Experts say it's no wonder SMBs are looking gradually to security policies as an additional means of threat avoidance because the number of those threats is exploding.
Cupertino, Calif.-based security vendor Symantec Corp. reports that the number of attacks on Windows machines alone during the first half of 2004 jumped more than four times compared to the same period last year. Symantec documented nearly 4,500 worms and viruses that targeted Windows during the 2004 time frame.
Research also confirms that security is a top priority at SMBs. According to a recent Forrester Research survey of decision makers among 684 North American SMBs, 75% plan to purchase new security technologies within the next year.
Consider policy management vendors
A well-written security policy is useless if it isn't drafted, implemented, managed and enforced properly. Experts point out that software is available to help out in these areas.
Companies that sell policy management software include Lexington, Mass.-based Liquid Machines Inc. and Sherpa Software Group L.P. of Bridgeville, Pa. Both companies sell software designed to enforce e-mail rules and other policies.
Communications policies a must
The biggest threats to enterprise IT security come from the Internet. Experts say that is why it's so important to have strong security policies in place governing employee use of the Web, e-mail and instant messaging (IM).
Michael Osterman, founder of Black Diamond, Wash.-based Osterman Research, a company that focuses on messaging technologies, said that most SMBs do take the appropriate steps of installing antivirus and firewall software. But, he added, many fail to implement more comprehensive internal usage policies, and this can lead to problems.
Osterman said that most companies will want to have a policy in place that limits the size of email attachments that employees are allowed to send. This saves bandwidth and in some cases can prevent system crashes.
Osterman also believes that companies should lay out policies restricting Internet use. This cuts down employee visits to pornographic or other potentially problematic Web sites. This has a two-pronged effect of limiting a company's exposure to malware and averting possible sexual harassment litigation.
A comprehensive policy would also include information about the technologies the company uses to deal with viruses and spam, according to Osterman. The policies should be clear about how antivirus and antispam technologies are to be managed.
"When a new virus is introduced, a lot of small companies are very susceptible because they don't maintain their virus defenses like they should," Osterman said.
Companies will also want to have clear policies with regard to instant messaging technologies and their usage. Osterman believes that SMBs should consider purchasing enterprise-grade IM software, which generally has enhanced security features over consumer-grade software such as AOL Instant Messenger and Yahoo Messenger. Companies that sell enterprise grade IM software include IBM Lotus and Ipswitch, Inc., based in Lexington, Mass.
SMBs opting to stick with consumer grade IM software should consider third party monitoring and security tools to add extra layers of protection, the analyst suggested. Companies that sell such products include SpectorSoft Corp. of Vero Beach, Fla. and Wellesley, Mass.-based DYS Analytics Inc.
"You can get some pretty nasty viruses, worms and Trojans coming in through IM," Osterman warned.