Small and midsized businesses are placing too much trust in their internal systems, leaving their doors open to security breaches.

"While SMBs protect the parameters of their corporate networks, what's disturbing is they trust internal users a lot. Many (internal) desktop systems are not patched and wide open," said Gerry Chng, manager of Ernst & Young's technology and security risk services.

"But whenever we talk to them about the lack of internal security, they say they need to trust their employees. Our view is that you must have prudent trust. A piece of information meant for one group of workers may not be meant for another," he said.

Chng revealed that there was an SMB retailer in Singapore which had its prices posted on a competitor's Web site. The information came from the retailer's Intranet, he said. "A lot of these threats come from the lack of internal defense."

The most common security threat arising from the lack of internal defenses among SMBs is spyware, said Steve Lam, another security expert from Ernst & Young.

"You could only install spyware manually by clicking on some buttons in the past, but recently, we've been seeing a lot of spyware that install on their own," he said.

"These spyware (programs) make use of vulnerabilities within Web browsers to install themselves on computers. The old logic of telling employees not to run unfamiliar programs does not help to prevent the kinds of spyware we see today," he added.

Lam explained that there are many kinds of spyware, including pop-up boxes with misleading messages asking users if they want to patch their computers. "Once you click on the 'yes' button (to patch the PC), the spyware installs by itself."

Such spyware programs are major threats, because they do not go through the usual channels protected by firewalls, Lam noted.

Other spyware programs include browser toolbars that add new features to Web browsers such as "cute icons". Another example would be those that are bundled with freeware such as Kazaa, a popular file-sharing program, Lam said. "Behind all those, spyware is being installed."

The lack of user awareness on spyware is the main cause of its pervasiveness, Lam added, pointing to an October 2004 study by American Online and US-based National Cyber Security Alliance (NCSA).

In that study, 80 percent of 329 Americans surveyed had spyware after their PCs were scanned for the purpose of the study. In contrast, 47 percent of them thought they were free from spyware before their PCs were scanned.

The lack of user awareness is also underscored by the fact that 85 percent of respondents who thought they had spyware could not name the spyware programs in their machines.

The intention of spyware is not just to create nuisance, Chng said. There is a business case as well, because spyware allows advertisers to find out more about the surfing habits of users.

With this information, advertisers can push out targeted ads to computer users for commercial purposes. SMBs should be concerned, because the privacy of their employees, as well as their business activities, could be threatened, he warned.

Worms and viruses, Chng said, could potentially dampen business productivity much more than spyware. "The prominent ones last year were the Netsky and Bagle worms," he said.

According to a study by research firm Gartner, worms and viruses topped the list of security threats among large enterprises. Conducted in May this year, the study polled 133 North American organizations with global operations and revenues exceeding US$750 million.

Chng recounted an experience with a company, which received requests from employees to clean up the Netsky and Bagle worms. The employees had thought their colleagues were infected with the worms, when they were not.

"What Netsky and Bagle did was to pick two addresses in a user's e-mail address book and send out spoof messages from one e-mail address to another other," he explained.

"The originator of the e-mail messages was from someone outside the organization who had the e-mail addresses of the 'affected' employees."

The good thing that emerged from this single incident is that the company is now spending more time monitoring security bulletins for an hour a day, and to plug the loopholes when necessary, Chng said.

Nib the problem in the bud