Keith Ferrell

n recent years, incessant security threats have grown more varied with no sign of diminishing. Yet despite the obvious risks, IT departments in many small and midsize businesses remain so overburdened that managing security is often viewed as an additional responsibility. To help these overloaded IT staff, McAfee offers a 15 minute per day solution dubbed Total Protection for Secure Business (ToPs) that seeks to help small IT staffs gain the upper hand in managing security.

Recently, bMighty spoke with Darrell Rodenbaugh, McAfee's senior VP for the worldwide midmarket segment, about ToPs and the similarities between the security challenges smaller companies and large enterprises face and the huge disparity in the resources they wield to combat them.

bMighty: How do small and midsize business security concerns differ from those of large enterprises?

Darrell Rodenbaugh: They swim in the same Internet cesspool. They're exposed to the same risks. Their end users make the same mistakes. They're going to the same wrong places on the Web; 95% of their e-mail is spam and 25% of that carries some malicious intent. They have the same data exposure; a data breach is every bit as devastating for a small business as for a larger corporation. Fundamentally, all businesses of all sizes have the same risk profile. The challenge is that small and midsize businesses don't have the same resource profile.

bMighty: So small and midsize businesses are fighting the same war, but without the same war departments?

Rodenbaugh: Yes. Only 8% of companies with under 1,000 employees have a dedicated IT staff. And, of those, our studies show that the typical SMB employs 1.8 IT professionals who are responsible for network access, applications, disk farms, and so on, as well as security. In fact, IT generalists manage 92% of small and midsize business security; most of them admit to spending less than an hour a week managing security concerns.

bMighty: While the situation exists as a result of small business reality and necessity, are small and midsize businesses less of a target for cybercriminals?

Rodenbaugh: Not at all. It's like a lot of bank robberies. Bank robbers know they're not going to rob Fort Knox: they target branch banks, not central depositories. Small and midsize businesses are very much targets.

bMighty: If the security challenges and threats small and midsize companies face are the same as those of large enterprises, is it safe to assume that their security needs don't differ a lot either?

Rodenbaugh: They really don't, except in this way: The largest of enterprises have the resources, and are able to invest more in security solutions and personnel -- more elegant tools, entire professional careers built around security. For a smaller businesses, the generalist IT manager's tools must provide the same level of security in a one-hour-a-week window. That's the midmarket paradox.

bMighty: How do you deal with the paradox?

Rodenbaugh: Every vendor is seeking to deliver the right technology and provide secure tools to the small and midsize business space. The challenge we [McAfee] wanted to tackle with ToPS was to deliver smart, simple, and secure tools that are easy to manage install and maintain, but that are technologies developed to fit into those SMB constraints -- limited budget and resources. We're trying to deal with business realities as opposed to just scaring customers into spending more time and money.

bMighty: That said, are scare tactics effective?

Rodenbaugh: Unfortunately, the most effective trigger that forces security investment is getting hit. Once there's a problem, it's all hands on deck. Otherwise, we all understand businesses' hesitation to apply resources to security: management is trying to grow the business, meet payroll, deal with all the other challenges and demands that a business creates or must respond to.

bMighty: Are there areas in which small and midsize businesses are doing a better job on security than others.

Rodenbaugh: Sure. Most businesses are doing a decent job of providing basic anti-malware protection. Whether or not they're doing as decent a job on update management is a different matter, but anti-malware is only one of the challenges, of course.

bMighty: What are the others?

Rodenbaugh: 80% of business security issues are found in five areas:

  1. Anti-malware: And most businesses, as I've said, are doing a good job of dealing with anti-malware basics.
  2. E-mail risks: Though not as aggressively exploited as in the past, e-mail threats are still very real. A quarter of spam contains some form of malicious, dangerous, or troublesome intent.
  3. The Web: This one is tough to manage because it requires managing the users, who are easily pushed to spoof sites and so on. This is the fastest growing area of business risk.
  4. Data protection: This one takes a lot of different forms: protection from internal risk, an employee by design or mistake loses data, or maliciously walks out with critical data. Employees are increasingly carrying USB sticks, iPods, other devices that can hold a lot of data. The data itself involves different challenges and can have different impacts: customer and employee private data, strategic, or competitive information, etc. This is the fastest growing risk frontier, the one companies are waking up to as exposure risks are better understood.
  5. Network-level security: Protecting the network using traditional firewalls against intrusions is something many companies do a fairly good job of. But the challenge is that more and more of the threats coming in involve several vectors at once. The firewall approach is less and less effective. The response is to move more rapidly to unified threat devices.

bMighty: From McAfee's perspective, those are the major security challenges and areas?

Rodenbaugh: Covering those five would satisfy the security needs of 80% of small and midsize businesses. Regulated and compliance-governed businesses face more stringent compliance requirements, and need technologies in addition to those I've described.

bMighty: Already tight security budgets will probably get tighter as the economy cools. What do tough economic times do to security budgets and how should companies respond?

Rodenbaugh: Clearly economic conditions are going to put pressure on security budgets. We've not seen dramatic shifts in attitudes yet, though. In some ways, it's like paying your electric bill: you have to do it, you have it in place. The risk is deferring the next wave of security investment and protection. This will put more stress on IT managers, asking them to do more with less.

bMighty: Which, it's pretty easy to suppose, is one of the factors that helped shape ToPS.

Rodenbaugh: Having done a lot of research into the constraints SMB IT faces, and having identified that common set of security challenges, we wanted to make it possible for a business to acquire, in one step, all the security technologies it needs to meet those challenges, and do so in a way that's more cost-effective than purchasing the components piecemeal.

bMighty: Education also is an important component of the new product and initiative.

Rodenbaugh: It is. The more guidance that we can provide to IT managers and business owners, the less likely it is that they'll be responding to a crisis, the more likely that they'll be taking steps to better manage and improve their business security.

bMighty: All in the 15 minutes a day ToPS promises?

Rodenbaugh: Look at the resources we've discussed: the 15 minutes is what there is at a lot of companies. So the IT staff needs to be equipped to get the most out of that 15 minutes, to know what tasks and procedures need to be followed on a daily, weekly, monthly basis. That calendar of activities turns that 15 minutes into proactive security management. We'll be discussing that calendar of activities, the effective security schedule, a lot, and not just in connection with ToPS. What we've learned about small and midsize business security concerns and realities is something we'll be sharing as well as marketing.

Keith Ferrell is the author of a dozen books and countless magazine and newspaper articles. The editor of OMNI Magazine from 1990-1996, he also is a frequent speaker to corporate and institutional audiences.