Two years ago, I wouldn’t have thought twice about the results of a new survey by National Cyber Security Alliance and Symantec that found 83 percent of SMBs don’t have a cybersecurity plan in place and 87 percent don’t have a formal security policy for employees. Today, that is unimaginable — and yet, that’s exactly what the 2012 national small business study revealed.
“Dumbfounded” is the word that came to mind when I read the survey. I find it very hard to believe that SMBs have figuratively shrugged their shoulders when it comes to security for their networks. And those figures above are just the tip of the iceberg. As eWeek pointed out:
The report found more than three-fourths (77 percent) of respondents said their company is safe from cyber threats such as hackers, viruses, malware or a cybersecurity breach. Nearly six out of 10 (59 percent) SMBs said they do not have a contingency plan outlining procedures for responding and reporting data breach losses, even though 73 percent of respondents indicated a safe and trusted Internet is critical to their success, and 77 percent said a strong cybersecurity and online safety posture is good for their company's brand.
It’s a bit contradictory, isn’t it? They know they need to focus on cybersecurity but they aren’t taking some of the most important steps to make sure the network stays safe. I’m a little concerned, too, that they have no plan in place in case something does happen. Are they that confident they won’t have any security issues? It reminds me of some of my friends and family members who have been hit with viruses. “But I had anti-virus software!” they tell me, but then go on to add that they clicked on a link in their email or just had to watch the video somebody posted on Facebook.
Perhaps, though, we in the media are partly to blame for this attitude. Most of the articles and outrage is focused on breaches and attacks on large corporations and on major colleges, and rarely on smaller businesses. It may be time that we talk more about the breaches that happen to all companies because SMBs are being increasingly targeted by hackers and other bad guys. Brian Krebs provided some fabulous examples of small businesses that have been victims of a cybersecurity failure, also pointing out that this is a widespread problem:
According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the end of Dec. 2011.
I can’t say this more plainly: If you have a computer network and you are attached to the outside world in any way, shape or form, you are at risk of a breach, malware or an attack. To not do anything is putting everything you work for at risk.