A survey of U.S. small businesses conducted by Zogby International on behalf of Symantec (which produces Norton utilities software) and the National Cyber Security Alliance (NCSA) finds that while eight out of 10 small businesses in the U.S. feel their firms are safe from cyber threats, 80% of them maintain no formal information technology (IT) security policies.
That’s a major problem just waiting to be exploited, pointed out Cheri McGuire, vp-global government affairs and cyber security policy for Symantec.
“We recognize that most small business owners are focused on running their businesses, and have limited resources and IT staff dedicated to managing their cyber security needs,” McGuire said. “Unfortunately, cyber criminals are increasingly making small businesses their targets, knowing they are likely to have fewer safeguards in place to protect themselves.”
“The [cyber] threats grow in number and complexity each day, but too many small business owners remain naively complacent,” said NCSA executive director Michael Kaiser in the study. “The stakes are high for individual businesses and the nation as a whole: a single malware attack or data breach can be fatal to a small enterprise, but the collective vulnerability of all our businesses is a major economic security challenge.”
The survey found that two-thirds (67%) of U.S. small businesses have become more dependent on the Internet in the last year and 66% are dependent on the network for their day-to-day operations.
Overall, 57% of the small firms polled said that a loss of Internet access for 48 hours would be disruptive to their businesses and 38% said it would be "extremely disruptive." And 76% say that most of their employees use the Internet daily.
Yet 77% of those very same small firms admit they do not have a formal written Internet security policy for employees, and of those, 49% report that they do not even have an informal policy.
Also, a larger group of small business owners said they do not provide Internet safety training to their employees as opposed to those that said they do – to a tune of 45% versus 37%.
Furthermore, a majority of small businesses (56%) indicated they do not have Internet usage policies that clarify which websites and web services employees can use, with only 52% having a plan in place for keeping their businesses cyber-secure.
At the same time, small businesses may not understand how to respond to online threats or the danger they pose. For example, 40% of small businesses said that if their businesses suffered a data breach or loss of customer or employee information, credit card information or intellectual property, their business do not have a contingency plan in place outlining procedures for responding and reporting the problem.
On top of that, two-fifths (43%) also say they do not let their customers and partners/suppliers know what they do to protect their information.
That’s worrisome, Symantec’s McGuire noted, because 40% of all targeted cyber attacks are directed at companies with less than 500 employees. She added that, in 2010, the average annual cost of cyber attacks to small and medium sized business was $188,242. What's more, statistics show that roughly 60% of small businesses will close up within six months of a cyber attack.
Altogether, the total cost of cyber crime to consumers and small business owners alike is greater than $114 billion annually, according to Symantec’s data.
“It's important for small businesses to educate their employees on the latest threats and what they can do to combat them,” she explained. “Education, combined with investment in reliable security solutions, provides small business owners with a well-rounded approach to protecting their businesses and managing cyber risk.”