Report: SMBs Overconfident on Cybersecurity
Small businesses often cut costs on antivirus software by using free alternatives. "The reality is that free is not enough because the threats we're seeing today require a comprehensive approach," said Symantec vice president Brian Burch. "Free antivirus ... is like wearing a light windbreaker in a snowstorm."
Oct 18, 2012 7:00 AM PT
Small businesses in the United States are generally confident about their cybersecurity status, but they're wrong, according to a survey of 1,015 companies conducted for the National Cyber Security Alliance (NCSA) and Symantec.
Apparently, SMBs aren't doing enough to keep their businesses safe and secure, and aren't following well established practices.
Although 94 percent of the respondents were from small businesses with fewer than 10 employees, "even the smallest of businesses may be processing customer information that needs to be protected, such as credit card data," Brian Burch, a vice president at Symantec, told the E-Commerce Times.
Some of the Survey's Findings
Eighty-six percent of the respondents said they are satisfied with the amount of security they provide to protect customer or employee data. Further, 83 percent agree, either strongly or to some extent, that they are doing enough or are making enough investments to protect customer data.
Seventy-seven percent of the respondents said a strong cybersecurity and online safety posture is good for their company's brand, and 73 percent said a safe and trusted Internet is critical to their success.
Sixty-six percent of those surveyed said they aren't concerned about either external or internal cyberthreats.
However, the survey found that 87 percent of the respondents don't have a formal written Internet security policy for employees, and 69 percent don't even have an informal Internet security policy.
Seventy percent of those surveyed don't have policies for employee social media use, and 59 percent don't have a contingency plan outlining procedures for responding to and reporting data breach losses.
Companies established after 2008 are about 20 percent more likely than older SMBs to have a written cybersecurity plan in place, the survey found.
The Risk to SMBs
There's no doubt that SMBs, which suffer from inadequate funds and manpower, are vulnerable to cyberattacks. Targeted attacks aimed at small businesses with 250 employees or less have doubled this year, from 18 percent of all targeted attacks in 2011 to 36 percent in the first half of 2012, Symantec's Burch stated.
Also, more than 90 percent of the payment data breach reports received by Visa come from small businesses, the credit card issuer reportedly claims.
"Businesses must evaluate where their risk is," Ken Baylor, research vice president at NSS Labs, told the E-Commerce Times. "If it is digital data such as trade secrets, financial information, or personally identifiable information, then the standards are much higher than [for] most retail outlets, which may purchase pre-approved PCI-compliant solutions."
Most small businesses "are never formally audited or held accountable for compliance" with policies, which might be acceptable-use policies introduced by the human resources department or some other entity's policies downloaded from the Internet and adopted, Baylor remarked. "Many never even read them."
The survey listed a number of online safety practices for small businesses.
SMBs should know what they need to protect. They should also enforce strong password policies. Further, they should map out a disaster preparedness plan as soon as possible, encrypt confidential information and use a reliable security solution.
"Freeware vendors have created the false perception that free, basic security is enough to protect you from today's online threats," Symantec's Burch remarked. "The reality is that free is not enough because the threats we're seeing today require a comprehensive approach. Free antivirus ... is like wearing a light windbreaker in a snowstorm."
SMBs should update their security solutions regularly, he said. They should also develop Internet security guidelines and educate employees about Internet safety, security and the latest threats.