SMB Security: Five Bright Ideas

February 04, 2009 — CSO — Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.

Granted, Hansen's employer sits on the higher end of the SMB size spectrum, but it is still relatively uncommon for companies with revenues under $500 million to have a person devoted to security. Hansen is rarer yet in that he leads a staff of six security professionals, who handle all aspects of physical and information security for the firm, which has 16 offices. "I've been lucky here," he says. Many companies of comparable size don't have anyone who takes a global view of security.

When it comes to information security, most IT people at SMBs tend to be generalists rather than specialists like the ones at Sonnenschein. "They put in a new disk farm yesterday, today they're doing a website, tomorrow they will do something with security," says Darrell Rodenbaugh, senior VP of the midmarket segment for McAfee Security, a security software vendor in Santa Clara, Calif.

McAfee surveys its vast SMB user population frequently to discern their security practices and habits. "Most spend less than an hour a week proactively managing security," says Rodenbaugh. According to the most recent McAfee survey, most SMB respondents did not believe they are a likely target of cybercrime. "They don't think they are well enough known, but nothing could be further from the truth."

SMBs are still in security catch-up mode compared with large enterprises, according to Adam Hils, principal research analyst for the Atlanta office of Gartner. But catching up they are. One sign of maturity: SMBs are now more likely to have formal, written security policies, at least in the area of IT, according to a recent Gartner survey (see, "SMB IT Security Spending Habits," Page 27). About 47 percent of Gartner SMB survey participants have developed and adopted a formal security policy. And about 30 percent more plan to develop one this year.

February 04, 2009 — CSO — Adam Hansen is that rare bird in the small to midsize business (SMB) realm: He is a CSO. Hansen heads up security for Sonnenschein, Nath and Rosenthal, an 800-attorney law firm in Chicago.

Granted, Hansen's employer sits on the higher end of the SMB size spectrum, but it is still relatively uncommon for companies with revenues under $500 million to have a person devoted to security. Hansen is rarer yet in that he leads a staff of six security professionals, who handle all aspects of physical and information security for the firm, which has 16 offices. "I've been lucky here," he says. Many companies of comparable size don't have anyone who takes a global view of security.

When it comes to information security, most IT people at SMBs tend to be generalists rather than specialists like the ones at Sonnenschein. "They put in a new disk farm yesterday, today they're doing a website, tomorrow they will do something with security," says Darrell Rodenbaugh, senior VP of the midmarket segment for McAfee Security, a security software vendor in Santa Clara, Calif.

McAfee surveys its vast SMB user population frequently to discern their security practices and habits. "Most spend less than an hour a week proactively managing security," says Rodenbaugh. According to the most recent McAfee survey, most SMB respondents did not believe they are a likely target of cybercrime. "They don't think they are well enough known, but nothing could be further from the truth."

SMBs are still in security catch-up mode compared with large enterprises, according to Adam Hils, principal research analyst for the Atlanta office of Gartner. But catching up they are. One sign of maturity: SMBs are now more likely to have formal, written security policies, at least in the area of IT, according to a recent Gartner survey (see, "SMB IT Security Spending Habits," Page 27). About 47 percent of Gartner SMB survey participants have developed and adopted a formal security policy. And about 30 percent more plan to develop one this year.

That has been a big trend in the last year or so, according to Hils. Regulatory compliance is a major driver to formalize policies on the information security side, especially for retail companies that are within the purview of PCI DSS, the Payment Card Industry Data Security Standard. (See A Tale of Two PCI Audits for more details.) Even for companies that are not big enough to be covered by government regulations, they'll have to comply if they work with larger partners who do.