IT security staff at small and midsize businesses (SMBs) spend 127 hours every month managing their on-premises security infrastructure, according to a new survey by Webroot.

That equates roughly to 16 eight-hour workdays devoted to tasks such as updating software and hardware, reimaging infected machines, managing end-user policies, and installing patches. Software and hardware updates, for example, take up more than 18 hours of IT personnel's time each month.

While the study included larger companies, too -- its 820 respondents worked for firms with 100 to 5,000 employees -- Webroot chief technology officer Gerhard Eschelbeck said that the numbers were consistent across organizational size. SMBs are spending as much time as larger companies managing their on-site security -- only with fewer people and less money. 

"Smaller companies usually have less IT resources and less resources dedicated to security, so it certainly becomes a double whammy for those organizations," Eshelbeck said in an interview. "An organization with a 100 people, by design has a smaller IT department, security department, than an organization with 1,000 people. Clearly from that perspective, it hits them doubly hard."

While SMBs might make less likely bulls-eyes for targeted attacks, the survey said that they deal with the same broader threat landscape -- such indiscriminately launched malware -- as big business and big government.

"The fact that they also are dealing with a similar amount of infections and time spent is clearly an indicator that smaller companies are impacted harder," Eshelbeck said.

The survey also found that mobile workers -- and the devices that keep them connected to the virtual office -- pose the fastest-growing concern for IT managers charged with keeping company networks secure. One in three respondents listed mobile devices, from laptops to tablets to smartphones, as their chief challenge in the year ahead. Data breaches and malware threats ranked second and third, respectively, as the top security challenges for 2011.

"Every mobile device is a potential access point for viruses, for any other piece of malware," Eshelbeck said. Mobile devices "really add a completely new vector for infection if they're always on and permanently connected outside of the corporate network."

Some 40 percent of respondents said they plan to implement a cloud-based security system in 2011 or 2012, the survey said, listing reduced IT burdens, simplified maintenance, improved malware defenses, and mobile security among their top motivations.