Are SMBs Paying Enough Attention to Security?

Carl Weinschenk

There of course are significant differences between how things are approached by small businesses and enterprises. These differences include technology, reporting requirements and the willingness of these organizations to share information about what is going on.

The issue of big versus small comes very clearly into focus in the security realm. The Ponemon Institute has issued a report suggesting that 55 percent of responding small- and medium-size businesses suffered breaches and almost all of them – 53 percent – had more than one. The survey was conducted by Hartford Steam Boiler, a part of Munich Re.

It seems almost certain that SMBs are cutting corners on their reporting responsibilities, according to a report on the study at eWeek:

Only 33 percent notified the appropriate people affected, even though 46 states require that individuals be contacted when their private information is exposed.

Bloomberg Businessweek’s Patrick Clark blogged about the study. He quoted an executive from Hartford Steam -- which, despite its name, is an insurance company – and pointed out that the company stands to profit if SMBs become more careful. However, that doesn’t invalidate the comment:

“When it comes to disclosure, a lot of them think, ‘We’re so small, no one’s going to know,’” says Eric Cernak, a vice president at Hartford Steam Boiler, the Munich Re subsidiary that commissioned the Ponemon study. “They’ll say: ‘Let’s just sweep this under the rug. We’re not going to report it because no one’s going to find out about it.’”

The coverage of the study had no metrics comparing how SMBs’ approaches differ from enterprises’, but they no doubt are stark. The beauty of the Internet and broadband is that it allows small fries to act like the big boys. This attracts the attention of criminals, who may see attacking SMBs as more profitable than going against more formidable enterprise defenses. The issue will grow as mobility and BYOD approaches create more vulnerabilities.

This means that they also must walk the walk on security as well. Business2Community offers three tips: use of a corporate-class firewall, combined with anti-malware and antivirus software and educating workers. The story adds some meat to these suggestions. The bottom line is that what seems like second nature to organizations with enough money to have security staffs may be a bit less obvious to SMBs. The importance of security must be reinforced, and buy-in must come from the top:

Most small businesses cannot afford to spend tens-of-thousands of dollars on IT security, but getting the right security solution that is in line with your business needs is important. Having a solid security package makes sense for any business no matter the size. The minimal cost of contracting a managed firewall provider and managed antivirus service saves businesses much more in continued productivity and losses due to emergency down times or embarrassment of being hacked. An undefended attack on your network could shut it down completely, making a small investment in prevention a crucial element to keeping your business running smoothly.

Dynamic Business, an Australian site, posted a piece on a particularly scary-sounding attack: Crackers are getting into systems, controlling the data and ransoming it back to its rightful owner. The writer quotes Robbie Upcroft, SMB sales manager Asia-Pacific at McAfee, on the reality that SMBs are low-hanging fruit for the bad guys.

Upcroft says that more and more, SMBs are leaving themselves open to more sophisticated attacks from hackers all over the world. “Hackers send out a bunch of what are essentially bots, that search the internet for open systems. And it’s easier to send out 1000, $1000 ransom attacks rather than one  $1 million attack, because all the big guys are protected.

The thought that SMBs must be careful about security is nothing new. That is no reason, however, that the issue shouldn’t be discussed on a regular basis. The question is whether the smaller organizations are more proactively owning up to their responsibilities as the threat landscape grows more complex.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.