What Antivirus Shortcomings Mean For SMBs

Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential

As criminals continue to hone their digital attacks against SMBs, smaller organizations will have to do more than put up token cybersecurity defenses if they want to protect their intellectual property, their customers, and their cash flow, experts warn. And step one in giving up the security charades is admitting that there needs to be more to an annual security budget than a few dollars squirreled away for antivirus software renewals.
Too few SMBs can realistically say that they make more than a token effort at achieving such a posture, Michael Cobb, founder and managing director of security consultancy Cobweb Applications, wrote recently in a Dark Reading/Information Week Reports piece,
5 Security Tools Every Small Business Must Have
.
[How do SMBs go about shopping for an MSSP? See
How To Pick The Best MSSP For Your SMB
.]
According to recent figures out from Kaspersky Lab this month, the average SMB spends just $10,000 a year on security, or about an average of under $36 per employee. According to the survey, antivirus reigned as the top spending priority for these organizations, with 67 percent of respondents spending budget on AV as compared with other technologies like data encryption, which only saw traction from 40 percent of SMBs.
Anecdotally, Doug Landoll of Assero Security says that an antivirus-centric mentality among SMBs is par for the course. His company specializes in performing risk assessments for SMBs pressed by larger B2B customers to offer transparency around security controls before either party does business for one another. Time and time again, his SMB clients are shocked to find how much more these assessments ask for beyond antivirus and other endpoint protection.
A lot of SMB security is mostly geared around endpoint security. Thats it, he says. Well, thats just one or two questions on a thirty-question questionnaire and theyre like, What is this network segmentation? What do they mean about policies? Thats when they realize security is about a whole lot more than they thought.
When SMBs rely solely on antivirus technology, theyre effectively accepting a whole lot of risk. Its been an open secret among security industry insiders for a while, but the news is just now starting to trickle out to the mainstream outlets SMB decision-makers are most exposed to: antivirus technology only snares small percentage of the new threats that are released in the wild each day. A
recent study by Imperva cited in the New York Times
, showed that when 40 antivirus products were tested with 82 new computer viruses common in the wild, these protection technologies detected less than 5 percent of those pieces of malware.
Not investing in additional endpoint security solutions is actually a false economy – in reality, they are ignoring and therefore effectively accepting 68 percent of the risk and the associated costs,
says Rees Johnson, senior vice president of product management for McAfee Labs, citing data from analysts with Aberdeen Group
. Endpoint security initiatives should adopt a more comprehensive approach to protecting the organizations platforms, networks, applications and data.
But many SMB decision-makers dont realize what accepting that level of risk really means for their business. Not only are attackers seeking to hack small businesses to perpetuate the kind of bank fraud that most organizations normally associate with malware, but theyre looking at SMBs as valuable sources of consumer data, intellectual property, and as beachheads into longer-term attacks against corporate customers serviced by these more vulnerable smaller organizations.
As everyone is becoming more interconnected, connected business partners become at-risk due to holes in another connected partners security. The weak link in the chain, so to speak, says John Biglin, CEO of Interphase Systems, who warns that this weakness puts SMBs very livelihoods at risk. We have seen clients get audited by their partners, and have also seen major contracts lost because of inadequate controls.
In order to ensure that SMBs dont let the threats that bypass antivirus slip through the cracks, they have got to start adding to their security arsenal.
Even if you are a small or medium-size business, it is important to have IT security policies in place: around data-loss prevention, around password-complexity, around encryption, around mobile device usage, and so on, says Yuk Fai Chan, consultant with Security Compass. Show that you have such policies in place and that you have controls to enforce them.
According to Cobb, at bare minimum organizations should bolster their security protections beyond antivirus to also include well-configured and updated network firewalls, security configuration tools designed to patch systems and limit vulnerabilities, encryption technologies and automated backup and recovery tools.
Additionally, SMBs cant afford to forget that external hacking threats arent the only ones theyre contending with.
Internal threat agents can be anyone who has access to your physical premises and internal company network – guests, contractors, or even disgruntled employees, Chan says. It is equally important to have proper access control on your internal network, and to perform regular assessments of your IT infrastructure from an internal perspective.
In fact, assessment should be the name of the game for SMBs seeking to elevate their strategies.
Know your weaknesses by performing vulnerability scans regularly and penetration testing after major product upgrades, says John Whiteside of Alert Logic, attackers are looking for targets of opportunity such as unpatched servers or exposed services - find and correct them before they do.
Since few SMBs have the internal resources necessary to evaluate how well theyre really doing at protecting themselves or to take steps to make improvements, outside help can definitely come in handy.
Fortunately, many IT security processes lend themselves to being outsourced: They are cheaper for a specialist company to deliver than for a company to provide with its own staff and equipment, wrote Cobb in another in Dark Reading/Information Week Reports piece,
6 Security Services Every Small Business Must have
, which offers a number of valuable insights for SMBs shopping for the right security service providers. Outsourcing security can actually lead to better security, with the potential added benefits of reduced capital and operating expenses.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
What Antivirus Shortcomings Mean For SMBs