Small businesses fail to address data risks in server virtualization

A recent Symantec survey of adoption of virtualization within small businesses revealed that most companies are failing to take even the most basic steps to reduce risks to their data.

According to a recent Symantec poll examining adoption of virtualization within small businesses and its impact on their organizations, most companies have a strong interest but are still learning how to best implement the technology.

The Small Business Virtualization Poll indicates that 70% of small businesses -- defined as companies with 5-249 employees -- are considering server virtualization. However, only 10% have actually completed their virtualization projects.

IN DEPTH: The dark side of server virtualization

As can be expected, financial benefits are a major driver for deciding to virtualize, with most companies hoping to reduce both capital and operating expenses. Other benefits cited include the ability to use fewer servers for the same number of applications, and server scalability.

Despite their interest, small businesses are finding it difficult to move from discussions to execution due to their IT staff having limited or no skills in virtualization. Nearly a third of the small businesses that don't have virtualization plans cited lack of experience as a factor. Of the respondents, only 10% have deployed virtualized servers and they are focusing their early-stage efforts on simpler, less critical application areas.

According to Kevin Rowney, director of marketing for virtualization, cloud and mobility at Symantec, many small businesses are wrestling with the virtualization decision. In particular, they are concerned about how virtualization will impact performance, backup and security, and patch management. Other areas of concern include system architecture and design issues, as well as workload capacity and planning issues.

In an effort to overcome the lack of in-house skills, more than half of the organizations are engaging third-party expertise to help them through their virtualization trials.

From a basic controls and risk management perspective, many of the small businesses that have implemented virtualization are putting their data at risk by not taking the most basic steps to secure and protect their virtual environments.

First, 85% of the companies don't have a regular and consistent backup process for their virtualized servers; 23% of the respondents conduct backups infrequently or not at all.

Second, 78% don't have antivirus software on their virtual servers; 48% don't have a firewall; and 74% forego endpoint protection. Budget and staffing issues are the reasons cited for preventing them from taking these essential actions. Rowney laments that small companies are often more focused on opportunity than on controlling risks to their business.

Of the 30% of respondents that are not considering virtualization for their organizations, the primary reasons cited are security concerns, reliability issues and cost.

For those small companies making the leap to a virtualized environment, Symantec has some simple recommendations to make sure they are properly protecting their data and systems:

• Engage a qualified IT consultant to develop a virtualization strategy. Proactively develop guidelines and assess your organization's data protection and security needs. Once a strategy is in place, stick to it.

• Take appropriate measures to secure your virtual environments, including a firewall, antivirus and endpoint security. Make sure you have established security practices as an additional layer of protection.

• Protect your data by having a simplified approach to backup, and implement a solution that protects both physical and virtual environments. Also, consider a data de-duplication solution to save space and time.

History has a way of repeating itself when it comes to new computing technology. "Early adoption often comes before all the security considerations are taken," says Rowney. "Virtualization is a sledgehammer that is transforming IT. As a result, companies aren't prepared for what can hit them. To avoid the lumps, a little bit of knowledge and help from external partners can provide adopters guidance on what kind of security threats may arise so history doesn't repeat itself."

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

Case study: Hungry for virtual server security

Brocade's virtualization strategy: We use everything

New security tools protect virtual machines

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10