As attacks on
computer systems rage on, no business is too tiny for cybercriminals to
see as a lucrative target.
Yet security for smaller companies is a real challenge. Any
small-business owner is by definition a jack-of-all-trades, but a deep
understanding of computer security is seldom among those skills.
"Trying to protect your company's data valuables or brand without the
budgets, staffing or know-how of Fortune 500 companies is a daunting
task," says Gartner security analyst Eric Ahlm.
Small to midsize businesses generally have three choices when it comes to protecting themselves online.
For those who mostly do simple credit card transactions, a merchant
services company (sometimes called managed services) is often all they
need. More complex businesses tend to rely on all-in-one programs, such
as Norton or Symantec. Still larger businesses frequently outsource to
an IT or security professional, who may provide similar services to
Simple outsourcing is the route Zoel Fages, who owns Perch, a small gift and housewares shop in San Francisco, has taken.
A first-time business owner, he hired Axia, a merchant services
company in Santa Barbara, Calif., to do his credit card processing and
To deal with computer security, he also signed up for Axia's data
breach program through ControlScan, a company that helps businesses
ensure they are compliant with the legally required Payment Card
Industry Data Security Standard, or PCI DSS.
"I had to answer a 69-question questionnaire, and they did a
vulnerability scan last week," he said. He spent hours on the phone with
ControlScan going over the results and is now confident his customers,
and their credit card information, are safe.
Putting in 60-hour weeks to keep his boutique running, that's the
extent of his efforts. "Maybe this is naiveté on my part, but I'm just
assuming that if these tests are being done and I'm passing, then I'm
meeting the compliance standards," he said amid scented candles and
It's not a bad bet for businesses that "frankly really don't have
much data of interest to lose," said Ahlm. These types of managed
service providers are easy to find, either through local merchants
associations, the Chamber of Commerce or even judicious searching
For more midsize companies, doing security in-house with purchased
software is an option. In just over a third of companies, the owner
handles online security, while in another third a staff member is in
charge of it, a National Small Business Association survey found.
Popular products include offerings from Symantec, Trend Micro and
McAfee. Many small-business owners turn first to Norton, a
consumer-oriented security product owned by Symantec, because it's what
they use on their home computers.
"They want something rock solid that's going to provide the
protection they need. They don't want to have to fuss with it," said
Brian Burch, vice president of small-business marketing at Symantec.
Norton's Small Business product starts at $100 a year with a license
that covers up to five devices, and the ability to add more for $20
When a business gets about 25 employees, many begin to switch to the
more powerful Symantec Endpoint Protection Small Business Edition,
"which is more meant for an IT professional within the company," said
Burch. "It scales to hundreds of employees."
Many businesses eventually decide they need someone on the inside they can call on when something goes wrong.
Commercial Resins in Henderson, Colo., has produced industrial
coatings for oil pipe and rebar since the 1960s. In 2008, when the
company had five computers and one server, it hired Brian Willms as a
Originally it was just one of many clients whose computer security he
managed remotely – a popular option for many midsize companies that
can't afford a full-time tech staffer.
"Then we added more computers and staff and they all had smartphones,
and suddenly they were saturating 100 percent of my time," Willms said.
Eventually the company hired him as its sole IT staffer. Today he
manages the company's two locations, in Henderson and in Sidney, Neb.,
from his home in Tulsa using Webroot, a cloud-based security company.
"I'm pretty much always on call," he said.
Whatever security a company decides on, software can never be fully
protective. Staff training is crucial, said Stephen Cobb with ESET,
which offers security software and support for smaller businesses.
"We can make a piece of security software that says, 'Warning! Don't
click this button!' But if your employees don't know that it's important
not to click the button, your investment in that security software
isn't going to pay off," he said.
Copyright © 2014 USA TODAY, Elizabeth Weise