The tough economic climate and general lack of capital mean small and midsize businesses (SMBs) are more focused on business survival than investing in security measures. However, security vendors say being ill-prepared in this area might hasten the company's demise due to potential financial and reputational losses.
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies tend to be "hard-pressed" to invest or focus on IT-related resources such as security tools due to the lack of capital. This financial situation is further worsened by the tightening global and local economic climates, which has forced SMBs to focus on surviving above everything else, he added.
As such, IT security may be seen as a secondary concern relegated behind more pressing concerns such as finding new business, growing and sustaining operations, maintaining human resources, and financial control, the executive noted.
Additionally, security implementations are not easy to design, implement and sustain without having a dedicated budget and skilled internal resources as it is not a singular project but a sustained program, Ngair pointed out.
No company's too small
Beyond financial constraints, many SMBs continue to have the misconception that they are too small in scale or importance to be targeted by cybercriminals, said Tan Yuh Woei, country director for Symantec Singapore. Citing the company's 2011 Threat Awareness Survey, he noted that these companies do not consider themselves targets of cyberattacks and are not implementing the proper safeguards to protect their information.
For this reason, they are not prepared to deal with disasters when these occur, he added, citing the company's 2012 SMB disaster preparedness survey which found 74 percent of respondents not having a formal disaster recovery plan in place.
"Being ill-prepared can render a company's critical information lost or inaccessible, and the cost incurred for SMBs in terms of financial loss and reputation will be [higher] than the costs used to implement IT Security," Tan said.
He added that cybercriminals are not just targeting executives with deep access to confidential information. In fact, anyone in the position to provide them with corporate information and "open the door to more attacks" will be targeted, he warned.
Start forming a plan
Ngair noted that there are ways around SMBs' financial budget though, saying that service providers that offer a "cost-effective bundle deal" of tools and management services are one recourse for cash-strapped companies. Since SMBs typically have light IT security needs, they should find a good partner which can manage these and negotiate a long-term contract, he added.
David Maman, CTO of GreenSQL, an database security vendor, agreed. He said small companies should prioritize protecting weak spots in its IT infrastructure, including every PC, server, switch, and router.
Besides, many security vendors provide a free version of security tools with limited features, and these might be sufficient for the average SMB, he added.
That said, insufficient product or market knowledge may mean companies sign up for bundled deals that do not address their security issues or be misled that a simple implementation of antivirus or firewall is all that is needed to safeguard their entire business, Ngair warned.
On a broader level, SMBs should develop a disaster preparedness plan that evaluates how IT technologies such as mobile, virtualization and cloud computing can help in security efforts, Tan urged.
"Just because a business is small does not make it immune to security concerns. Developing an effective defense strategy can help these companies improve their security posture and keep their networks and businesses running," he said.