Malware – software designed to damage your computer system without your knowledge – is a problem for businesses of all sizes . Yet a security breach resulting in thousands of pounds worth of lost profits could put a smaller company out of business.

Malware refers to computer viruses, worms, trojan horses, spyware, dishonest adware and other malicious and unwanted software, and it has changed dramatically over the past 15 years, as attacks have become more targeted, more frequent and harder to detect. According to research by security software vendor Webroot, in 1990 less than 10,000 unique samples of malicious programs were identified. By 2007, this number had rocketed to almost 5.5 million. In fact, Gartner estimated that 75% of businesses would be infected with undetected, financially motivated, targeted malware by the end of 2007.

Not only are attacks becoming greater in number, but they are increasingly targeted. The rise of social engineering brings an increasingly popular method of attack, and threats are becoming more and more sophisticated in their attempts to infect a system. The motivations of the perpetrators of these attacks have also changed – assaults historically carried out for the purpose of vandalism or ego gratification now have financial motives. Instead of destroying data, malware such as spyware will collate personal information with the purpose of exploiting the data for financial benefit.

Lost profits

The cyber-criminal’s gain will be your business’ loss. The annual Information Security Breaches Survey by consultancy firm PricewaterhouseCoopers found that the cost of a security breach occurring within small and medium-sized businesses starts at around the £15,000 mark, increasing up to £1.5m for very large businesses. But while a large enterprise might be able to overcome this, for yours it could prove fatal.

There is a knowledge deficit among growing businesses when it comes to security. “They are becoming more tech savvy, but not security savvy,” says Guy Bunker, chief scientist at Symantec. This is due to a lack of resources, and, moreover, a lack of time, says Derek Colvin, head of IT at online eyewear specialist Glasses Direct. “Most businesses have an ‘I don’t need it done right, I need it done by Tuesday’ approach,” he laments.

Certainly, this attitude must change. Businesses need to educate themselves and do it now if they are to mitigate the risks presented by malware. Reassuringly, not all small business leaders have their heads in the sand. While the internet age has brought immense business benefits, Colvin is well aware of the associated risks. “Malware is a fact of doing business today,” he says.

Spam scams

The sources of infections are varied, but according to Webroot, the one biggest culprit is spam email. With so many businesses reliant at least in part on email as a means of conducting business – analysts at IDC estimated that over 6.62 trillion business emails will be exchanged in 2008 – it’s an obvious target for scammers and thieves.

Most growing businesses nowadays tend to use an email service provider – some of these offer ‘clean feeds’, which means they will strip out spam and viruses before employees even get a chance to become infected. “With the increase in threats, it behoves the growing business to use as many ‘experts’ as possible – and as cheaply as they can,” says Bunker.

Another way that machines can pick up spyware, viruses, malicious adware and so on, is by the user visiting dubious websites, which often happens when a link is clicked in an unsolicited email. The problem is, it’s impossible to tell the difference between a link that is legitimate and one that is not.

From this perspective, Webroot is doing its bit in the war against malware, and its chief technology officer, Gerhard Eschelbeck, is leading the troops into battle. “It’s no longer like the early days, where you got virus samples from your customers. Today, you actually have to hunt for spyware – you have to find it and track it down,” he says with relish.

So, three years ago, Phileas was born. It’s a program with an infrastructure that trawls the internet in much the same way as Google, but instead of searching for the relevant search terms, it seeks out malicious viruses and code. “That gives us an early indication of where malware is, where it’s coming from, how it’s evolving and which countries are most affected by it,” says Eschelbeck.

Up-to-date patching

Reassuring as it is that Webroot and other security software vendors are constantly on the look-out for new threats, what else can you do to protect your business? First, keeping patching updated is essential for companies serious about protecting themselves. “Updating is important because, as soon as a new vulnerability is discovered, cyber criminals start architecting and circulating attacks,” explains David Lacey, security consultant and former senior security adviser at Shell and Royal Mail.

Microsoft provides patches, or what it terms ‘security updates’, on the second Tuesday of every month. Operating as a smaller business has both its advantages and disadvantages when it comes to keeping on top of security updates. “Because we’re small, we can be nimble. It doesn’t take us as long to fix patches, for example,” explains Colvin. “Larger companies that have been online for a while have generally learned the hard way what can go wrong.”

Most small businesses cannot afford to demonstrate this lackadaisical approach to security. One of the principle difficulties is that smaller businesses can rarely afford to have a dedicated IT security resource in-house. “Small and medium-sized companies sometimes don’t have the expertise that large businesses do. They are there, striving to succeed in their business, and money is tight,” explains Ed Gibson, Microsoft UK’s chief security adviser.

The good news is that there are plenty of relatively inexpensive technologies that can help you to protect your business. Most PCs nowadays come with at least a trial version of an endpoint security package, typically from Symantec, or one of the other large vendors. “For the small and medium-sized enterprise that doesn’t have the time or the expertise to become a security expert, the first line of defence really is in protecting the endpoint, with anti-virus, personal firewall, intrusion detection, anti-phishing software and so on,” asserts Bunker.

If you don’t fancy the prospect of installing, running and updating all this security software onto your PCs, there is another option. At present, security forums are dominated by discussion of the new hot topic: security software as a service (SaaS).

In the cloud

Increasingly, software packages like customer relationship management (CRM), and now security, are being delivered via the internet rather than being installed directly onto the machine or network – all you need is a browser. This means of delivery is also often referred to as being ‘in the cloud’.

“I think there is a transition, from a business perspective, of moving from a pure desktop detection to SaaS protection,” says Eschelbeck. “So you keep protecting your desktop as the last line of defence, but you add another layer of defence into that.

“This approach to security couldn’t be more tailored towards small businesses,” he continues. “If you think about managing an IT environment in a growing business, typically there are not many resources available, time is very limited  and it’s a very resource-intensive kind of work to manage software on the desktop.”

Removing this burden allows growing companies to focus on their core business, and on expanding their operations, according to Eschelbeck. But the plethora of security products out there will only go so far. “Technology’s always the safety belt, but education is also very critical,” he says.