Kendall Miller, CIO of Benelogic, a Maryland-based company that creates software applications to streamline employee benefits administration, has both luxuriated and wanted. At Benelogic, a company of approximately one hundred employees, Miller oversees the administration of approximately 140,000 client employees a year. That number is expected to double.

The company is entrusted with stacks of very confidential information everyday, such as medical claims or benefits information. Because the core of its business is managing customer data, information security, not surprisingly, is critical.

Miller, who previously managed infrastructure software systems at John Deere, a $14 billion dollar a year company, saw that large companies worked with large numbers, both in people and equipment.

"We probably had ten separate appliances to handle load balancing and firewalling. We ran two different types of firewall appliances, three different types of VPN appliances addressing different scenarios, and that was fine because we had hundreds of people in information security," he says. "With a smaller enterprise, you just simply can't afford that."

But he is quick to point out that information security is not so much about who has the bigger budget, but rather is just a question of efficiency and reliability.

"We find a lot of appliances don't give a lot...solutions don't give thought to how easy they are to learn and administer," he says. Even if a smaller company had the funding that some larger companies get, Miller believes that the complexity of handling so many different network operations in a constantly changing IT environment bombarded by viruses, worms and other threats would still make it difficult for even the largest of IT security departments to keep up.

Even so, a recent industry survey found that small- and medium-sized enterprises (SMEs) are still tripping up when it comes to implementing sound information security practices. According to St. Bernard Software, because many SMEs do not have acceptable use policies for using the internet, they are vulnerable to both security and compliance risks.

"By understanding what is at risk, SMEs are better equipped to meet threats head-on. The first step should be to develop a security policy and an acceptable use policy that support their business goals, and are detailed enough to include all the issues they might encounter," says John Jones, CEO of St. Bernard Software.

The survey, which questioned IT administrators from some 500 companies about various information security issues, found that many were flailing when it comes to policy creation, implementation and education. It also revealed that the majority of respondents had no perimeter security solution to defend against external threats or help to enforce policy.

At Benelogic, there are five full-time IT professionals on staff, not counting Miller, who oversee all of the company's operations. A VPN network that incorporates branch offices and mobile users, firewalls and a vast recovery facility are just some of the solutions that help he and his staff.

"I focus a lot of my attention on easier administration and centralization of administration," Miller explains. "I don't want to have one guy who is familiar with a certain technology to make a change. We need technologies with a short learning curve so that I can afford to have all five of my people conversant in at least the basics of the operations. I need to make sure that I can easily administer all of that from one place. We need to be able to look at all of it very quickly to understand what is going on."

In a large company such as John Deere, Miller recalls that easy administration was "nowhere on their decision matrix."

Steve Fallin, director of Watchguard's Rapid Response Team, believes that small businesses have an advantage here.

"The end-user training program designed to make the users smarter consumers of network resources can have a greater aggregate effect within the small organization than they can in the larger organizations," says Fallin. "If you've got 50 people in the company and you trained all 50 of them in network security, that's going to have a much greater effect on your company than if you were going to train 50 people in a 500 or 5,000 person organization."

Unfortunately, many small companies are a bit intimidated by information security, often leaving plans open until after they have experienced a compromise of some sort, says Miller.

"It just doesn't feel real until it happens to them. Security is this amorphous, not understandable, unachievable, impractical thing. They really don't have good grip on what the practical and executable things are that they could do to raise their security level," he explains. "Security is not something you can see, feel or touch. Security is the absence of a break-in."

For the small guys, cost-effective security

All of the solutions Benelogic has deployed to enhance their information security position are cost-effective. Getting there takes some planning, however.

First and foremost, small businesses like Benelogic should conduct thorough background checks on any vendors they are considering working with, getting references whenever possible, advises Kendall Miller, CIO of Benelogic. If the original equipment manufacturer (OEM) is working through a value-added reseller (VAR), check both.

"You have to get a 360 view of the threats you're getting. Have someone who is knowledgeable in that area give you a walk-through so you don't have a situation where you've got this great and magnificent firewall, but you've got all these other ways people will break in and steal your information," warns Miller.

In addition to finding help with external threats, smaller companies must be mindful of the internal ones, often common methods of information breaches. Miller has implemented aggressive methods to safeguard information inside the network.

New hires are screened carefully. What information is accessed by whom is monitored and controlled. Security software is deployed internally and a lock-down of desktop configuration occurs to restrict users. Firewalls segment networks for additional protection and to prevent, for example, unauthorized hardware connections. End-users also undergo rigorous training on Benelogic's security procedures to help them understand their roles in the company's security practices and prevent such tried-and-true attack types, like social engineering.

The problem is that many small companies address network insecurities after an incident occurs, says Steve Fallin, director of Watchguard's Rapid Response Team. Whatever happens to be hurting them the most is what they fix first. A company-wide approach is needed.

"When you think about the network as a whole, it's very much a shared asset," explains Fallin. "If you've got 50 to 300 people sharing an asset, there have got to be some rules around who can do what and when."