Originally published 01 November 2013 by infosecurity magazine.
Small and medium-sized businesses (SMB) should be paying more attention to the growing threat of cybercrime – but they are not. Despite overwhelming statistics that show this group to be at risk, more than three-quarters in a recent survey said they feel confident that they are not – and are failing to take protective measures.
McAfee has announced findings from a joint survey with Office Depot that revealed surprising security misconceptions among SMB owners. More than 1,000 SMBs participated in the Office Depot Small Business Index survey last month, and a super-majority (66%) felt confident that their data and devices are secure and safe from hackers, with 77% responding that they haven’t been hacked.
The results are at odds with industry research that has revealed these same businesses are actually prime targets of complex and evolving cyber threats. Almost three-quarters (72%) of data breaches investigated by Verizon Communications’ forensic analysis unit in its latest Data Breach Investigations Report were focused on companies with less than 100 employees, for instance.
Furthermore, targeted attacks destined for small business (1 to 250 employees) accounted for 31% of all attacks last year, compared with 18% in 2011, an increase of 13 percentage points, according to Symantec’s Internet Security Threat Report 2013 (ISTR).
The discrepancy suggests that many SMBs are not aware that they’ve been attacked.
“Cyber-attacks on small businesses rarely make headlines, so it is easy for these business owners to be lulled into a false sense of security, as indicated in this survey,” said Rep. Chris Collins (R-NY), Chairman of the US House Small Business Subcommittee on Health and Technology, in a statement. He has made cyber-awareness a priority in his Congressional efforts. “It is especially important for small business owners to secure their systems, as they may not have the resources to survive a cyber-attack, unlike a large corporation.”
That sense of safety is unfortunately leading to more risk, because SMBs aren’t implementing the protective measures they need. The McAfee study also found that only 9% of SMBs use endpoint/mobile device security, for example, even though smartphone and tablet use is nearly ubiquitous. Bring-your-own device (BYOD) is, unsurprisingly, a top threat vector: 45% of SMBs do not secure company data on employees’ personal devices.
On top of the mobile statistics, the study uncovered that 80% don’t use data protection in general, less than half use email security and only about half use internet security technologies.
Perhaps most concerning of all, a full 14% of SMBs haven’t implemented any security measures at all.
“A business that doesn’t have any security measures in place is putting their data and customers’ trust in jeopardy,” said Bill Rielly, senior vice president of small & medium business at McAfee, in a statement. “As enterprises have increased their security defenses, hackers have started to target their attacks downstream to SMBs.”
Earlier in the year, Rep. Collins led a hearing to examine the increased volume and complexity of cyber-attacks on small business, and the role of the federal government in helping address cyber-security issues.
“It is nearly impossible to conduct business today without the internet and a strong digital infrastructure,” said Collins said at the time. “Cyber-criminal attacks on small business intellectual property and personal financial information present a serious threat that could potentially impair a business, and the threat is growing as many small firms explore new technologies such as the cloud and mobile computing.”