"There’s not only power in small, but magic too,” Jaime Clarke once said. He’s a Canadian explorer who scaled Mount Everest and four other treacherous summits, step by careful step. In the global economy, the power of small has achieved impressive results.

Consider this: small and midsize businesses (SMBs) account for nearly 99 percent of all businesses worldwide, employ more than half the world’s workers, and generate more than half the global gross domestic product. In the United States, SMBs have generated 64 percent of net new jobs over the past 15 years.¹

Yet in a struggling economy, even more is expected of them.

Small in size but big in influence, SMBs have used the Internet to extend market reach and build fruitful partnerships. Business productivity applications have helped them grow while staying lean. But the very tools that propel growth can also leave them more vulnerable to risks beyond their four walls.

Cyberattacks, data loss, system failures—these are real threats to sustained SMB growth across industries.

Increasingly aware of these risks, SMBs are likely to spend a full percentage point more of their IT budgets on security in 2009 than in 2008.² “The Internet has become the computing platform for small and midsize businesses,” says Giuliana Folco, research vice president, European Industry Solutions, IDC. “So while it’s true that they are more exposed, it is also true that they are beginning to realize this. Our surveys find that improving IT security is the most urgent technology priority for SMBs.”

What are the building blocks of a secure IT infrastructure?

The Confident SMB spoke with SMB IT professionals to learn how they’re protecting their infrastructure and data assets without breaking the bank.

Protect your IP

Knowing what you need to protect is a good starting point. “Securing your information systems is about knowing what is valuable to your business and how to protect it,” says Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA). “It’s about understanding the technologies your users need and the network you operate in.”

Direct Agents, a New York-based advertising agency that specializes in interactive marketing, maintains a network that is, by choice, entirely unfiltered. “We must deliberately expose ourselves to some of the more malicious content on the Web,” explains Nate Schilling, technology manager of Direct Agents’ two-person IT team. “We work with such a large universe of online Web publishers that we cannot afford to miss any communications. We simply cannot leave the spam filter on or avoid suspect URLs.”

That’s a compelling reason for the company to safeguard both corporate and client confidential data that is stored internally, online, and at distributed third-party sites. “Symantec Endpoint Protection gives us the high level of protection and the flexibility we need,” Schilling says. “Before deploying it, I had to remediate three to four infected systems a day. Now, at its worst, we see maybe one incident of remediation a week.”

Sydney’s Museum of Contemporary Art (MCA) attracts more than 500,000 visitors a year and features major exhibits that can take years to arrange. Email communications are critical for organizing events and are often the only legal proof. MCA learned firsthand the dangers of exposure. “Years ago we had a network-stopping security incident. And our website was hacked into,” recalls Euan Upston, the museum’s chief operating officer.

Upston turned to Nexus IT & Communications, a Sydney-based Symantec partner. One of the first things Nexus IT did was implement Symantec Protection Suite Small Business Edition, which includes Symantec Endpoint Protection and Symantec Premium Anti-Spam. In the four years since, there hasn’t been a single security-related disruption.

“IT security is a business imperative,” explains Sean Murphy, principal, Nexus IT. “Contemporary art takes on many multimedia forms. The kind of protection you might expect a museum to apply to its physical assets, we also have to apply to our digital assets.”

At CBSA Architects, a 75-year-old architectural firm based in Hickory, North Carolina, the most valuable business assets—architectural drawings— are generated, stored, and transmitted to clients and contractors digitally over the Internet. “Excessive spam is an inconvenience that can slow us down. But if we experienced a malware attack, it could shut down work and we might just have to send some of our people home,” explains Candy Hensley, systems administrator at CBSA. “That has never happened thanks to Symantec Mail Security preventing hundreds of spam messages a day from reaching our mailboxes.”

On the recommendation of Voice-and-Data Corporation, a Symantec partner, CBSA has been protected by Symantec security solutions for almost 10 years. About 60 percent (nearly 3,000) of incoming messages a week at CBSA are spam; and they’re blocked by Symantec Mail Security for Microsoft Exchange.

Define the guardrails

Lack of adequate IT security policies is often the Achilles heel for SMBs. NCSA’s research discovered that only 28 percent of U.S. small businesses have formal Internet security policies and less than a third train employees about Internet security. “At a minimum, you need to define policies and educate employees about what is acceptable use of your systems,” notes NCSA’s Kaiser.

CBSA’s Hensley recalls an incident when one laptop had been out in the field for more than three weeks and came back infected because its virus definitions hadn’t been updated. “The user also had a 15-year-old son who had access to the laptop,” she laughs. Fortunately, such incidents are now few and far between. Recently, the firm upgraded to Symantec Endpoint Protection Small Business Edition. It uses a single agent to put antivirus, antispyware, firewall, and intrusion prevention technologies on the servers and on each desktop or laptop, all managed from a single, centralized console.

“Few small businesses truly understand what information security means or how they should set up and enforce policies,” says John Koval, president of Voice-and-Data. “You have to be careful not to give information security too narrow an interpretation. Security is more than passwords and protecting data from being stolen or damaged. It also means being able to quickly recover from a breach.” So, Koval is planning for even greater business resilience ahead and CBSA will soon deploy Symantec Backup Exec System Recovery to begin image-based backup of servers and desktops.

Direct Agents’ Nate Schilling believes he can count on the common sense of his company’s young, tech-savvy employees to maintain security standards. Still, he isn’t taking any chances. The company uses Symantec Endpoint Protection to restrict and define administrator access. “It’s just being sensible,” he says.

For Schilling, application and device control are two important aspects of security: policies are set to automatically scan any executable programs as well as external devices connected to a user’s USB port. “When employees bring in devices for troubleshooting, I’ve found it to be a best practice to connect their system to my USB port, which sees it as an external hard drive,” explains Schilling. “I have set Symantec Endpoint Protection to scan and disinfect their systems before I work on them. This way I can find threats that might be hidden. Symantec Endpoint Protection identifies and blocks a threat in this fashion at least a couple of times a month.”

Meet external requirements

SMBs also need to conform to the security policies of the organizations they deal with. “SMBs work with larger enterprises or government agencies that have to meet a host of compliance and regulatory guidelines,” explains IDC’s Folco. “It’s important to have a holistic approach to security that encompasses data protection, retention, and access and then set up policies to implement it.”

As a private, non-profit organization, MCA is subject to arduous government regulations. “We have to deliver a very exacting level of security and compliance that the board of directors can sign off on, yet do it within the budget of a cultural organization,” explains Murphy. He must also consider other factors such as providing contributing artists secure and easy access to MCA’s systems.

Direct Agents’ experience shows that security standards can be an important selection criterion for clients. “Clients will sometimes ask us for a briefing on our security procedures,” notes Schilling. “When they do, the fact that we’re enforcing end-user policies and using a solution from Symantec helps gain their confidence.”

Maximize your resources

Often, small businesses don’t have staff dedicated to maintaining IT systems. At CBSA, Hensley wears many hats. She’s executive administrator, manages the firm’s marketing, promotions, and 3-D rendering, develops project specifications, and takes care of IT. Not surprisingly, she’d prefer to spend as little time as possible on IT.

Fortunately, with Voice-and-Data by her side, she doesn’t need to. “It’s absolutely necessary to be able to have faith in your IT partner and the solutions they recommend,” Hensley says. “Because of this, I rarely have to think about whether my server is protected and whether I need to be worried about data getting corrupted or lost.”

For Direct Agents’ two-person IT team, cloud computing helps minimize the time it spends on maintaining IT security. “Hosted and cloud resources are robust and secure far beyond the ability of a typical small business to recreate. We don’t need to worry about things like data encryption, data integrity, or backups—our service providers take care of those things,” explains Schilling.

Hosted services offer a cost advantage as well. “We’re seeing a 75 percent savings in total cost of ownership using cloud services versus trying to host an equivalent infrastructure in-house,” Schilling says. Josh Boaz, Direct Agents’ co-founder and managing director, admits he was reluctant to trust cloud services at first. “But Nate persuaded me it would be secure and cost-effective. This has proven to be true.”

Innovation is another benefit of relying on an IT partner. “We’re investing in a $50 million new facility that will have cutting-edge technology built into it,” explains MCA’s Upston. “As I studied the IT departments of other museums, a common complaint was that the IT crew can itself become change-resistant. They hesitate to adopt new technologies, sometimes because of security concerns, that we in the art-educational world might want. When I outsource my IT, innovation is an incentive for both of us. I can control my budget and not worry about security, and work together with my IT partner to set milestones for future investments.”

Sean Murphy, the principal at MCA’s IT partner, agrees. “I can afford to provide technological innovations and solid security because I have the consistency of Symantec’s products behind me. I need a toolset that gives me the confidence to be able to do a quality job and budget for a whole year in advance without feeling exposed.”

At the end of the day, SMBs’ security requirements are simple—a well-oiled system that works in the background, without impacting the productivity of end users. “When SMBs invest in IT security, they’re considering more than just the products,” says IDC’s Folco. “They’re looking for customer service and support.”

How Safe Is Your Business?

One innocuous spam, then a deluge that jams your network. One suspect download that wipes out weeks of business-critical data. A tape backup destroyed in a burglary. These seemingly mundane incidents can have a long-term impact on the bottom line of SMBs.

So what are they doing about them? Not enough, according to a survey of 1,500 U.S. small businesses by The National Cyber Security Alliance. Conducted in partnership with Symantec and Zogby International, the survey finds that 75 percent of small businesses use the Internet to conduct business with customers, and most store vital business data in their systems. Yet for nearly a quarter, cyber security is still just “a nice thing to have.” View complete survey.

SMB Survey Highlights:

Sixty-five percent store customer data, 43 percent store financial records, 33 percent store credit card data, and 20 percent have intellectual property and other sensitive corporate content online.

Eleven percent never check their computers to ensure that antivirus, antispyware, firewalls, and operating systems are up-to-date. Yet only six percent fear the loss of customer data.

Only 28 percent have formal Internet security policies, and 35 percent provide training to employees about Internet safety and security.

Sixty-six percent of employees take computers or PDAs containing sensitive information off-site. Twenty-five percent do not ensure password protection for their wireless networks.

¹ United States Small Business Administration, www.sba.gov.

² “The State of SMB Security: 2008-2009,” Forrester Research, www.forrester.com.

Dee V. Sharma is a managing editor for CIO Digest and The Confident SMB, and an executive at NAVAJO Company. Her work has also appeared in publications such as The Economic Times and Times of India.