Nasty things began happening at Jones & Wenner not long after the Fairlawn, Ohio, insurance brokerage decided it had grown large enough to handle company email in-house.
The free Web mail services the firm's 20 employees had used to conduct business no longer cut it. So the company purchased a Microsoft Outlook Exchange email server.
Within weeks, email spam began to inundate each employee's in-box, much of it carrying viral attachments or links to poisoned Web pages, recalls Joyce Sigler, Jones & Wenner's information technology vice president.
"We caught a virus that actually moved from one machine to another," Sigler says. "Someone just opened something they shouldn't have opened."
For companies like Jones & Wenner, the Internet is a powerful enabler of new efficiencies. But it also exposes them to savvy and persistent cybercriminals seeking weak prey.
Some attackers specialize in breaching company websites to pilfer business documents and customer information. Others are expert at poisoning a company's Web pages as a means to infect and take control of visitors' PCs.
Small and midsize businesses — so-called SMBs, those with five to 5,000 employees — face a heightened risk, because many lack the wherewithal to recover from the long-run consequences of a serious breach, says Lawrence Pingree, research director at technology research firm Gartner. So SMBs have begun to increase spending on specialized help to shore up security in basic areas, including spam filtering, website defenses, data encryption and basic anti-virus protection.
Global spending on security equipment and software by companies of all sizes is in the midst of a multiyear run of 8.9 percent annual growth — and is projected to rise to $85.8 billion in 2016, up from $56 billion in 2011, despite a sputtering economy, according to Gartner.
"Security spending tends to be resilient in bad economic times, as bad economics typically lead to higher rates of fraud and criminal activities," Pingree says. "Most companies continue to enhance security measures against adaptive and more heavily targeted attacks."
Sigler, for example, had to rebuild the operating systems of several corrupted PCs, causing downtime for workers who depend on their machines to provide customer service and interact with partner insurance carriers.
She went shopping for help and found AppRiver, a Gulf Breeze, Fla.-based company that filters spam and provides other hosted security services for some 45,000 clients, mostly smaller companies.
The insurance firm now routes all of its incoming e-mail to AppRiver for cleansing. "It's like night and day," Sigler says. "We're about selling insurance, so that's not really where we wanted to spend our time."
Spammers aren't expected to relent anytime soon. In the first six months of this year, spam accounted for 82 percent of all email traffic, and the number of new viruses carried in email spam continues to climb, according to AppRiver.
In the first half of 2012, AppRiver intercepted 470 million e-mails carrying malicious software, double the 235 million pieces intercepted in the first six months of 2011. "Spam volume is actually slightly less than it has been over the past decade, but it's still very high," says Joel Smith, AppRiver's chief technology officer. "And the stuff that's out there is much more malicious."
It's not just spammers that small and midsize businesses need to repel on a daily basis. Specialist hackers are adept at stealing data and planting infections in Web pages.
At the Hastings & Prince Edward Counties Health Unit, a government agency in Ontario, Canada, Tom Lockhart oversees the IT systems used by 150 public employees who deliver health services to 175,000 residents from two counties.
As the agency put more services online, including immunization records, flu inoculation programs and well-water inspections, it took in more personal information — and became a bigger target. Lockhart found himself spending an inordinate amount of time trying to fend off attacks, and rarely feeling truly at ease.
"I spent a lot of time keeping an eye on the traffic log, sanitizing code, patching and dealing with exploits," Lockhart says. "Sometimes I'd have to take services offline to make sure that was done."
Then he installed a new type of firewall from Barracuda Networks that essentially puts the agency on the offensive, knocking down any suspicious website probes that appear to be coming in from a would-be intruder.
Such advanced website defenses have long been available to large enterprises with deep pockets, but affordable versions for SMBs have come on the market only in the past two years, says Paul Judge, Barracuda's chief research officer.
"The attackers are out there taking a shotgun approach, putting their malware anywhere they can," Judge says. "That's why small businesses have to care about this nowadays."
For Lockhart, the extra layer of protection serves as a pressure-relief valve.
"Knowing that you've got that piece out front gives you a bit of breathing space," he says. "It gives you time to focus on making sure your services are available to the public during peak hours."
In addition to filtering malicious spam and website probes, another line of defense that small businesses are shoring up is basic anti-virus protection for company-owned desktops, laptops and mobile devices.
Jonathan Bell, IT manager for Strategic Applications, a 20-person firm that customizes collaboration, auditing and report analysis programs, recently switched the company's desktops and laptops to a cloud-delivered anti-virus service from Panda Security.
In the past, Bell says, each computer had to be in the office connected to the network for him to install the latest anti-virus updates.
"When a person is traveling and they disconnect from the network, we don't see them until they actually come back and plug in," Bell says. "Anything they might miss, they won't get until they come back."
That could be a big problem, he says, if a new virus spreads: The machines in the office get updated protection, but the ones on the road don't.
Panda's protection doesn't reside in the individual machine. Instead, it is delivered over the Internet, whenever the computer is connected to the Web, and updates are handled by Panda centrally.
"I don't have to go into the office and check all the machines," Bell says. "I can even pull up a (Panda) console from my phone and manage all those machines from anywhere."
For some businesses, protecting company-owned computing devices, filtering spam and repelling website intruders aren't as important as locking down customers' sensitive data.
(Read More: Why Fewer Americans Are Starting New Businesses)
Online companies that accept a high volume of credit card payments fall under the PCI Data Security Standard, which requires all credit card transaction data to be encrypted.
The standard practice for data encryption calls for two separate keys, each in the possession of a different party, with both keys necessary to decipher the data, much like a safe-deposit box. That complexity made it tricky for smaller merchants to meet the encryption mandate until new technology came along from Voltage Security, says Lloyd Sayman, IT manager for Movies Unlimited.
The Philadelphia-based company, founded in 1978, has 85 employees and describes itself as the world's oldest, most-reliable video mail-order company and has an 800-page catalog.
"Even though we do a high volume of credit card transactions, we basically have a one-person IT shop," Sayman says.
Voltage supplies MoviesUnlimited.com with an appliance that handles all of the encryption but does not supply a set of split keys. Instead, the appliance itself is the key. Any hacker who managed to steal the encrypted data would also have to steal the Voltage box to have any hope of decrypting the data.
"Key management is a huge issue in encryption, but with this there is no key management, since the keys are internal to the box," says Sayman. "It's a really elegant solution for a company our size."