SMBs lack cybersecurity practices - training is something that hardly exists
by Steve Ragan - Oct 27 2009, 20:15A study released on Tuesday from the National Cyber Security Alliance (NCSA) and Symantec says that small businesses are simply unprepared when it comes to security policy and actions.
The survey was taken as part of a National Cyber Security Awareness Month (NCSAM) initiative. In it, 1,500 small business owners answered questions related to cybersecurity awareness and policies. Of those who took part, 65-percent said they store customer data, 43-percent reported storing financial data, 33-percent keep credit card data, and 20-percent store sensitive company information.
With those figures, it was a mystery when the majority of SMB owners said that the Internet was a critical business service, but they are doing little to actually protect all the stored information accessible to the Web. The survey shows discrepancies between needs and actions regarding security policies and employee education on security best practices.
Only 28-percent of U.S. small businesses have formal Internet security policies and just 35-percent provide any training to employees about Internet safety and security. Yet at the same time, 86-percent of these firms said there isn’t anyone focused solely on IT security. Of the SMBs who said they offer security training, 63-percent actually offer less than five hours a year.
“The 20 million small businesses in the U.S. are a critical part of the nation’s economy. While small business owners may understandably be focused on growing their business and the bottom line, it is imperative to understand that a cybersecurity incident can be disruptive and expensive,” said NCSA Executive Director Michael Kaiser.
“To the millions of very savvy entrepreneurs across our nation, our message is simple - being smart about the online safety of your employees, business and customers is a critical part of doing business. Cybersecurity is not a nice to have for American businesses, it is critical to their survival.”
The study found that while more than 9 in 10 small businesses said they believe they are safe from Malware based on the security practices they have in place, only 53-percent of firms check their computers on a weekly basis to ensure that anti-Virus, anti-Spyware, firewalls and operating systems are updated, and 11-percent said they never check at all.
As mentioned, 75 percent of SMBs said that they use the Internet to communicate with customers, yet only 6-percent fear the loss of customer data and only 42-percent believe that their customers are concerned about the IT security of their business. What’s more, 56-percent of small businesses believe cybersecurity is the cost of doing business while 21-percent believe it is just “a nice thing to have.”
“Security threats are becoming more complex and employees of small businesses are increasingly the target of attacks that expose their organizations to data loss,” said Sheri Atwood, vice president, global solutions and programs, Symantec. “Security awareness and education, combined with a comprehensive security solution, can empower small businesses and their employees to protect themselves and their information.”
At the same time, training is easy to recommend. Considering that training takes time and money, actually implementing it is something else. A typical SMB has neither the staffing or budgets in most cases to split IT, so the IT department is there to deal with operations and security as well as end user training.
It’s a vicious circle, and one that is simple to deal with on paper and by issuing talking points. Training and awareness is always the best line of defense. The question, which is not a part of the NCSA survey, is how can you do awareness training without adding more to the budget or taxing IT to the point where they can accomplish all that they need to without the stress?
Tell us, how does your company deal with security training? If there have been several efforts to tackle this issue, what attempts failed in the past leading to where you are now?
The full survey is here.
Comment on this Story