A new study co-sponsored by the National Cyber Security Alliance (NCSA) and Symantec of about 1,500 small and medium-sized businesses across the United States has been released. The SMBs were surveyed on areas pertaining to cybersecurity, as well as their security-related policies and practices.
Further confirming the results of an earlier study that found SMBs ignore even basic security measures, the results were nothing to write home about.
Below is a brief snapshot of the survey results, which you can access here.
Perhaps what struck me most was the fact that only 35 percent of SMBs provide training to their employees on the areas of Internet safety and security. Even for SMBs who say they offer training, the majority -- 63 percent -- actually offer less than five hours a year. That's just half a typical work day for you, and we haven't even started nitpicking on the topics covered or the quality of the "security" training yet.
If there is anything that can be said to be more incongruous, it would probably be the fact that these same SMBs are increasingly dealing with important information online. In the same study, 65 percent say they store customer-related data on their computer systems, 43 percent store financial records, 33 percent store credit card information, and 20 percent have intellectual property or other proprietary content.
My thinking is this: SMBs cannot possibly keep up this dismal lack of security awareness and not expect to be fallen by some major security fiasco down the road. Given the online transactions that SMBs are increasingly engaging in, it is only a matter of "when" and not "if."
So what are some steps that SMBs can take to improve their security posture? I have some ideas, which I will share over the next few posts. In the meantime, I invite you to share your thoughts on this with me.