SMB Disaster Preparedness: A Recipe for Disaster
SMBs are not making disaster preparedness a priority until after they experience a disaster or data loss.
If you are a small business owner reading this, do you think your network is secure? If you think so, what steps do you take to keep it that way? Are you doing the barest minimum, like good AV software and a firewall? Or are you setting up a security policy for your employees, limiting access to data, using encryption, etc.? I'd love to know your answers because the results of a recent survey by Symantec and the National Cyber Security Alliance, and conducted by Zogby International, absolutely floored me.
The survey of small businesses found that the vast majority use the Internet daily for business and more than half said the loss of service would cause a disruption in conducting business. So, according to a press release on the survey, when 85 percent of respondents said their company was safe from hackers, viruses, malware or a cyber-security breach and seven in 10 (69 percent) believed Internet security to be critical to their business' success, that sounded like a positive thing. But then there is this kicker:
Yet a closer look reveals that most small businesses lack sufficient cyber security policies and training. Seventy-seven percent said they do not have a formal written Internet security policy for employees and of those, 49% reported that they do not even have an informal policy. More small business owners also said they do not provide Internet safety training to their employees than said they do - to a tune of 45 versus 37%. And a majority of businesses (56%) do not have Internet usage policies that clarify what websites and web services employees can use and only 52% have a plan in place for keeping their business cyber-secure.
The survey also shows that too many small businesses don't know how to respond to security threats or attacks. Forty percent don't have a plan in place to respond to or report a data breach, and 43 percent don't let their customers know records may have been compromised.
It's good that businesses are thinking about security, but just assuming they are secure can end up hurting - or even destroying - their company. For example, there are reports coming out of the United Kingdom that cyber attacks are costing UK businesses billions of pounds and, in some cases, are causing companies to go out of business all together. These companies are being attacked by foreign hackers who are stealing intellectual property. In fact, Major General Jonathan Shaw, the head of the Ministry of Defence's cyber security program, said that the greatest cyber threat to the UK isn't military but economic.
Cheri McGuire, vice president of Global Government Affairs and Cybersecurity Policy at Symantec, said in a release:
We recognize that most small business owners are focused on running their businesses, and have limited resources and IT staff dedicated to managing their cyber security needs. Unfortunately, cyber criminals are increasingly making small businesses their targets, knowing they are likely to have fewer safeguards in place to protect themselves. It's important for small businesses to educate their employees on the latest threats and what they can do to combat them. Education, combined with investment in reliable security solutions, provides small business owners with a well-rounded approach to protecting their businesses and managing cyber risk.
It's important to educate employees, but I would add that small business owners also need to educate themselves on exactly what cyber security really means and what it really takes. Thinking you are secure doesn't make it so.