Small-Biz Security: Monkey in the Middle

In security (like so many other technologies), small network owners get stuck without a ball to play with, writes Security Supersite Editor Larry Seltzer. What should they do to protect themselves?

Ive written a lot about technology for small businesses; if theres one thing Ive learned, its that they get no respect from the industry. Security is yet another market area where no shortage of vendors serves the consumer market, where theyre tripping all over each other to get a piece of the enterprise market, but where few vendors seem to want to deal with small business.

Looking over the agenda for this weeks RSA conference in San Francisco, I dont have high hopes that this situation will change any time soon.

Perhaps this is a sound business decision; enterprises are being cheap enough with their budgets these days, and small businesses always have been. Good luck prying any reasonable dough out of them for products they very likely dont understand to account for risks that must seem bizarre and remote. And maybe that, too, is a sound business decision; are Latvian crackers really breaking into my insurance agents four-man office network? They could be, but that doesnt mean they are or that it makes good sense for me to take measures sufficient to repel them.

But lets assume youre a small business and you do want to be reasonably up-to-date in your computer security. You would likely find products that are geared, both in price and complexity, either to standalone computers or to large managed networks with sophisticated IT staffs. (There is a third class of users: techies who are sophisticated enough to run Snort and Honeyd on the networks in their dorm rooms. Im not talking about them, Im talking about real people.)

In a sense the ideal solution for small business is in these same open-source security products, but there are lots of problems. The most important one is that there is no good "free" antivirus solution (neither "free" as in speech nor beer) for Windows users. (There is Grisofts AVG 6.0 Free Edition, which I reviewed about a year ago, but its only worth recommending to people who are dead-set against spending a penny on software.) The real problem with AVG is the real problem with a lot of the rest of the business: Once you switch over to the network-based protection a business needs once it gets a serious network, cost and complexity go up.

Antivirus is the most important type of protection for small businesses and consumers. It covers the security threats that real people are most likely to encounter. But once youve covered that base, especially if you have a network and a broadband connection, its time for a firewall, and these are almost certainly beyond the ability of most small business users to administer themselves. Ive always liked Winproxy by Ositis Software, which I recently reviewed in PC Magazine, but it too could do a better job.

The real answer for small business people, no matter what software they use, is to find an honest and competent consultant to help—a consultant who will take the time to assess needs and explain the software to the customer, who will be available for help in case there is an incident requiring some immediate response, one who will even check in every now and then just to see if things are going smoothly. Maybe you can see why Im concerned about small business.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.