Organized desktop protection

Small but growing companies and disorganized larger companies fall into the same trap with desktop security products. One day, someone notices that each computer has a different anti-virus package, a different anti-spyware package, or none at all. Three or four computers can be managed individually, but when you’re talking about more than a handful, “individually managed” becomes synonymous with “not secure.” That will cost you time and money and headaches.

Let’s talk about suites of computer protection software that make management of a group of computers easier than running from computer to computer and checking software manually. Both CA (CA Protection Suites r2) and Trend Micro (Client/Server Messaging Security) have suites that include protection against spam and virus outbreaks, and CA includes spyware support and desktop data protection. Trend Micro believes spyware can be better handled by network-level protection and does not include that feature in its package but it can be added easily.

What should you look for in a protection suite? Convenience, administrative time savings, and good reports and feedback about your security situation, which will immediately improve.

Both products require a Windows server (2000 or 2003, including the Small Business Server 2003) to act as the central hub for security. Using Windows server utilities, security applications and updates will be automatically pushed out to client computers so you don’t have to go from machine to machine. Plus, automatic updates means you don’t have to rely on users to update their own software (a losing cause in almost every case).

Aimed at companies hosting their own Exchange e-mail server as part of their Windows server features, both protection suites include anti-spam controls and e-mail-carried virus protection. Layered spam controls work best for most companies, because you can stop obvious spam at the server and let each user fine-tune their own spam controls at their desktop. Other security features, such as stopping virus outbreaks at the start and phishing protections, work better on a server than individual computers.

Centralized update controls do a much better job managing your bandwidth, because the application can download the new virus signature definitions (for example) and distribute the updates to the rest of the computers. This guarantees each computer will get the necessary updates, eliminating the problem where a user who turns their computer off each night bypasses the 2:00 AM scheduled updates.

Management console displays will show you each client computer’s status for all the installed software. Trend Micro calls it the Security Dashboard, while CA has its Desktop Control Center. Drill down into specific client computer details while sitting at the comfort of your own computer, and verify that the salesperson who always brings viruses in on his laptop has the latest protection enabled before letting the laptop on your network. CA offers data protection, meaning you can monitor user’s back-up status from the Desktop Control Center and force a backup of those people who somehow turned their computer off during the last scheduled backup (some users will do that even if you schedule the backup for 2:15 in the afternoon – don’t ask me how, they just always short-circuit their protection).

These solutions cost more money because they have a server component involved. CA’s tool starts at about $1,000 for the server component and five client licenses. Extra clients are around $80 apiece in groups of 5, 10 or 20 licenses. Trend Micro doesn’t charge extra for the server portion, and client license blocks of 5, 10, 25 and 50 users can be purchased for $50 to $62.

To add spyware coverage to Trend Micro’s offering, add another $25 or so per client. Yes, you can buy a complete desktop protection suite for less, but then you’re back in the “cross your fingers” security mode where you trust the user. You can’t trust users, no matter how well-meaning they are and how much they promise to behave, and a managed suite lets you control their security configuration.

I suggest contacting a reseller and getting a demonstration, preferably on your own network. Resellers can often shave the prices a little, and they provide security expertise you probably don’t have on your own IT staff.

Even if you have a smart security person, the reseller sees many more networks, and many more security mistakes, than your staff person. Let the reseller’s experience put a centralized management suite in place, configure it properly, and you no longer have to worry about what that salesperson brings to work hiding inside that infected laptop.