On cybersecurity, small businesses flirting with disaster, survey finds

Small businesses often kidding themselves on cybersecurity, survey reveals.
Written by John Fontana, Contributor

U.S. small businesses are hiding behind the belief they have done enough to secure themselves against hackers and malware when in reality many are vulnerable to attacks that could doom their businesses, according to a recent survey.

The survey, sponsored by the National Cyber Security Alliance (NCSA) and Symantec, found that 77% of 1,015 small businesses think they are safe from cyber attacks. The survey defines small business as a company with less than 250 employees.

The reality, however, is that 83% of those companies do not have a cybersecurity plan in place even though they are relying more and more on technology such as cloud services and social media to conduct business.

The survey, conducted in September, is out now as part of National Cyber Security Awareness Month.

The survey points to eight ways SMBs can improve online safety practices, including taking inventory of and protecting stored data, and enforcing strong password policies. (Full list of  8 tips).

The survey found many areas where small businsses had issues, such as establishing Internet security policies and practices, handling and responding to data breaches, and providing consistent IT/security management.

Symantec reported that 40% of nearly 1 billion recorded cyberattacks in the first three months of 2012 were targeted at companies with 500 or less employees. The company said cyberattacks, such as a data breach, could prove fatal to small companies.

In the survey, nearly 60% of respondents admitted they have no plan outlining how to respond to and report loss of data due to a breach.

Many are not even feigning concern even through their digital footprint is growing.

Some 66% said they are not concerned about cyber threats either from external hackers or nefarious employees or contractors inside their companies.

Given the number of publicized attacks in 2012, including retailers such as Zappos and organizations such as the IEEE, the nonchalance of small businessees seems almost reckless.

Indeed, Visa Inc. reports that small businesses represent more than 90% of payment data breaches reported to the company.

Against the backdrop of those figures, 86% still say they are satisfied with the security they provide to protect customer and employee data, and 83% strongly or somewhat agree they are making enough investments to protect customer data.

Those numbers align with what small busineeses think, but might not be doing, about cybersecurity. Seventy-three percent say being safe on the Internet is critical to their success and 77% say strong cybersecurity and online safety is key to protecting their company brand.

The survey had a number of other interesting conclusions, including that fact that companies started after 2008 are nearly 20% more likely than older small busineeses to have a written cybersecurity plan.

Also, 87% of small businesses don’t have a formal written Internet security policy for employees, and 70% do not have policies for use of social media.

The survey showed that not many employees are subject to discipline regarding Internet security and privacy. A full 90% said they have not had to discipline an employee related to misuse of the Internet, a security incident related to the Internet or a privacy violation. And 94% said they have not had to fire or dismiss an employee for misuse of the Internet, for a security incident related to the Internet or a privacy violation.

The full survey can be found here.


Editorial standards