Small Businesses Overconfident About Cyber Security

MBA (7/24/2008 ) Palaparty, Vijay
Findings in a McAfee survey reveal predominant belief among small businesses that they are too small to be of any value to cyber criminals.

“Small businesses need to understand how to best protect their business,” said Darrell Rodenbaugh, senior vice president of the mid-market segment at McAfee Inc., Santa Clara, Calif. “North America’s 7.4 million small- and medium-sized businesses are operating in an increasingly competitive environment and tough economic climate. They are becoming more reliant on the internet to grow and succeed but are in denial about security threats.”
The report, Does Size Matter? The Security Challenge of the SMB, revealed that 52 percent of small businesses do not think they are well-known enough to be on a cyber criminal’s radar. Forty-six percent believe they do not have information that would be of value to cyber criminals; 45 percent said they are not a valuable enough target.

“Almost any small business, even the very small ones with fewer than five employees, will at the least have some stored records of confidential customer and employee information that would be of use to a cyber criminal,” said Rick Jackson, director of North American small business at McAfee.

The report also revealed that 20 percent of small businesses feel very protected against cyber crime and another 68 percent have some form of protection in place. However, one in five small businesses has little to no protection. Furthermore, among the small businesses that reported adequate protection, 50 percent said they trust the default settings on their IT equipment; 43 percent said they typically accept default settings.

”Simply using the default settings is a dangerous practice,” Jackson said. “It gives SMBs a false sense of security as they think they are protected. Using the recommended settings isn’t enough, given the complexity and ever changing security threats. Default settings are freely available to cyber criminals, which means that it doesn’t take them long to find ways to crack the security settings gaps and infiltrate business systems and networks, without owners even knowing their confidential data is compromised.”

“Time constraints are definitely a contributory factor to SMBs security,” Rodenbaugh said. “In focus groups, SMBs have told us that they don’t have enough time and they would rather not do anything rather than give it to someone else to do. One of the most effective options for an SMB is to buy security-as-a-service.”

Thirty-nine percent of small businesses reported spending just one hour per week on managing IT security threats.

“SMBs are the least protected and the most exposed,” Jackson said. ”Many small businesses are aware that they need to protect themselves against IT security threats but they don’t have the time to invest in managing all the emerging threats, keeping systems updated nor the IT budgets to buy and maintain complicated, expensive security solutions. It’s a constant challenge to balance the resources available in comparison with the perceived threat.”

One in five small businesses, however, acknowledged that an IT security attack could put them out of business.

“Cyber criminals don’t discriminate and to them, size doesn’t matter,” said Jeff Green, senior vice president of McAfee Avert Labs. ”In fact, high profile attacks are becoming less frequent because they are often detected more quickly, and attackers are favoring stealth attacks that quietly infiltrate systems. Attackers often assume that smaller businesses will not have technology to identify their attacks and therefore regard them as easy pickings.”

“We encourage small and medium sized businesses to look closely at their most valuable assets—what matters to them most—and ensure that those assets are protected,” Rodenbaugh said. “For one business it might be protecting their customer database, for another it might be safeguarding intellectual property and ideas and yet for another it might be securing their financial information. For an SMB, the best choice is to choose one solution that covers the most likely threats to their business.”