Most small business owners have a false sense of security that their data is safe from hackers, and many lack basic types of security protection. That’s the finding of a joint study by McAfee and Office Depot. The survey included over 1,000 small businesses, defined as having between 1 and 99 employees.
Two thirds (66%) of respondents said they were confident that their data and devices are secure and safe from hackers, with 77% saying that they have not been hacked. In fact, it’s likely that many who have been hacked don’t even know they were hacked, since these findings conflict with other industry research indicating these same businesses are prime targets of complex and evolving cyber threats. For instance, 72% of data breaches investigated by Verizon Communications’ forensic analysis unit were focused on companies with less than 100 employees
“We still see in lots of different quarters that many smaller businesses don’t take security on their devices seriously,” said Doug Cooke, Director of Sales Engineering at McAfee Canada. It’s always on security devices that they are more lax.”
Part of the problem, Cooke said, comes with the introduction of new technology.
“As we move into new techs, as people get new toys, two things happen,” he said. “It takes the industry some time to catch up, and it takes users some time to catch up. With Android for example, security tools aren’t as sophisticated. There is a real lag here.”
That lag is compounded by a specific negative effect of consumerization on commercial markets.
“The 1-99 segment is a fairly entrepreneurial environment, where top people tend to make decisions on everything even when they should get more expertise,” Cooke said. ”They are familiar with consumer security from their home devices, so they may be more inclined just to protect their businesses with consumer level security.”
The results are at odds with industry research that has revealed these same businesses are prime targets of complex and evolving cyber threats.
“A key problem in small businesses is around management,” Cooke said. “Larger organizations understand they have to invest in this area, but having someone in a 20 30 or 50 user organization to secure the environment properly is a dramatic challenge. They really need to bring in a value added reseller to give them that expertise, coming in for a few days a quarter.”
The changing nature of online threats also encourages small business to feel secure.
“There just isn’t as much publicity,” Cooke said. “In the past, there was news all day with things like the I Love You virus. There was a lot of publicity and the viruses were in your face. Now because the orientation is more directed at hacks, the malware writers are careful NOT to spread malware everywhere. If they put it out to a large segment of the network the AV vendors will detect them and they get caught, so they focus on a small target area.”
Some of the other metrics from the survey were alarming, although Cooke said not necessarily surprising. For instance, only 9% of small businesses use endpoint/mobile device security.
“I’m not surprised it’s that low,” he said. “There’s not much publicity around security there, and there are no major vendors involved in this. It’s not like Windows that way. Most people can’t even name a single mobile security vendor.”
The survey also found 80% of small businesses don’t use data protection, which is defined as hard disk encryption or USB encryption.
“That’s also not surprising because hard disk encryption is relatively hard to install,” Cooke said. “It’s a more complex environment than anti-virus.”
Less than half of small businesses use email security, although Cooke said the number there is rising.
“SaaS for email security is catching on very quickly,” he said. “Smaller companies should do this. It a simple way, compared to putting an appliance on their Exchange server.”
The survey also found that 45% of small businesses do not secure company data on employees’ personal devices, and that 14% of SMBs haven’t implemented any security measures at all.
“There is constant education we have to be doing to make it clear to these companies how quickly security moves,” Cooke concluded. “Companies use word processing software for years, but in security companies reassess threat vectors on a quarterly basis. Small businesses need to look at this every 3-6 months on a regular basis. I tell smaller companies to work with a VAR on this, and invest in their consulting, but they hate to do this because they think it’s costly.”