I’ve been writing about security for so long now that very little surprises me – except for this: The continued reluctance of small and medium-sized businesses (SMB) to accept that they are, and will be, targets for hackers and subject to many of the same types of security risks as larger enterprises.
A recent study conducted by Manta found small businesses lack basic security policies and practices, likely because the vast majority (87 percent) don’t think they are at risk of a data breach. Balancing out that number, the study found that 12 percent of respondents said they did experience a breach (and I’m going to assume that they weren’t part of that 87 percent).
The poll also revealed that one in three small businesses don’t have security systems in place to protect data. The most popular security tools used by small businesses are anti-virus software (with 17 percent saying they deploy it), firewalls (16 percent) and anti-malware software (14 percent). Only 10 percent use encryption, 11 percent have automatic software updates set up, and 6 percent use third-party security options.
One area where small business may have the edge on their larger counterparts is device control. This was another surprise to me, that 70 percent of respondents said they don’t allow BYOD use. Now, that’s a two-edged sword. Requiring employees to use only work-offered devices means that the internal IT department controls security and which devices are connecting to the business network. It also could be that these small businesses may not have much need for employees to be using personal devices for business purposes, as in a restaurant or neighborhood retail outlet. On the other hand, office personnel may be circumventing the no BYOD rule and using their own devices to get online outside of the workplace, not only putting data at risk with potentially unsecure devices but also without any oversight by IT departments. Who is ensuring that outside devices aren’t accessing data or the network?
I find it disheartening that we are still having this conversation about small businesses and security. Do SMBs need a wakeup call? Here’s one from Fast Company:
… an increasing number of ransomware attacks are being targeted at small businesses and startups, with ransoms ranging from $500 to $50,000. And the numbers are growing: Security firm Symantec estimates that the average ransom demanded in 2016 was $679, more than double the $295 demanded at the end of 2015.
And the article went on to say that the reason they are such lucrative targets is because of the lack of security operations. That’s something we’ve talked about in this space in the past, and something that was just defined in this Manta poll.
I’m not sure what can be done to convince small businesses that they are targets, and that even if they aren’t, insider threats and mistakes like lost devices can wreak their own havoc. But it is beyond time for SMBs to pay closer attention to their security and avoid becoming part of the statistic of businesses that close because they can’t recover from an incident – partly because they weren’t prepared in the first place.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba