A majority of businesses do not have Internet usage policies that clarify which Websites and services employees can use.
The majority of small business owners believe Internet security is
critical to their success and that their companies are safe from
ever-increasing cyber-security threats even as many fail to take
fundamental precautions, according to a survey of U.S. small businesses
sponsored by Symantec and the National Cyber Security Alliance and
conducted by Zogby International.
The survey found that two-thirds (67 percent) of U.S. small
businesses have become more dependent on the Internet in the last year
and 66 percent are dependent on the network for their day-to-day
operations. What's more, 57 percent of firms say that a loss of
Internet access for 48 hours would be disruptive to their business and
38 percent said it would be "extremely disruptive," and 76 percent say
that most of their employees use the Internet daily.
The vast majority of small business owners think their company is
cyber-secure as 85 percent of respondents said their company is safe
from hackers, viruses, malware or a cyber-security breach and seven in
10 believe Internet security is critical to their business' success.
Additionally, a majority (57 percent) of small businesses believe that
having a strong cyber-security and online safety posture is good for
their company's brand.
Yet a closer look reveals that most small businesses lack sufficient
cyber-security policies and training. Seventy-seven percent said they
do not have a formal written Internet security policy for employees and
of those, 49 percent reported that they do not even have an informal
policy. More small business owners also said they do not provide
Internet safety training to their employees than said they do - to a
tune of 45 percent versus 37 percent. A majority of businesses (56
percent) do not have Internet usage policies that clarify what Websites
and Web services employees can use and only 52 percent have a plan in
place for keeping their business cyber-secure.
At the same time, small businesses may not understand how to respond
to online threats or the danger they pose. For example, 40 percent of
small businesses say that if their business suffered a data breach or
loss of customer or employee information, credit card information or
intellectual property, their business does not have a contingency plan
outlining procedures for responding and reporting it. Two-fifths (43
percent) also say they do not let their customers and
partners/suppliers know what they do to protect their information.
The respondents' sense of security seems especially unwarranted
given that 40 percent of all targeted cyber-attacks are directed at
companies with less than 500 employees, according to Symantec data. In
2010, the average annual cost of cyber-attacks to small and midsize
business was $188,242. What's more, statistics show that roughly 60
percent of small businesses will close up within six months of a
cyber-attack. According to the Norton Cybercrime Report, the total cost
of cyber-crime to consumers and small business owners alike, is greater
than $114 billion annually.
"We recognize that most small business owners are focused on running
their businesses, and have limited resources and IT staff dedicated to
managing their cyber-security needs. Unfortunately, cyber criminals are
increasingly making small businesses their targets, knowing they are
likely to have fewer safeguards in place to protect themselves," said
Cheri McGuire, vice president of global government affairs and
cyber-security policy at Symantec. "It's important for small businesses
to educate their employees on the latest threats and what they can do
to combat them. Education, combined with investment in reliable
security solutions, provides small business owners with a well-rounded
approach to protecting their businesses and managing cyber-risk."
The survey also found that 69 percent of their businesses handle
customer data while about half (49 percent) handle financial records,
one-third (34 percent) handle credit card information, one quarter (23
percent) have their own intellectual property, and one in five (18
percent) handled intellectual property belonging to others outside
When asked to rank the top concern of small business owners while
their employees are on the Internet, 32 percent reported viruses, 17
percent spyware/malware and 10 percent reported loss of data. Yet only
8 percent are concerned about loss of customer information, 4 percent
about loss of intellectual property and only one percent worry about
loss of employee data, even though cyber-security experts believe the
loss of any of this kind of information would be devastating to a
Overall, cyber-vulnerabilities and threats are steadily on the rise,
according to the "Symantec Internet Security Threat Report, Trends for
2010," the latest version of the company's annual cyber-security study.
For example, the report found a 9 percent increase in Web-based
attacks. Smartphones and other mobile devices are also poised to play a
large role with a sharp 42 percent rise last year in the number of
reported security vulnerabilities, according to Symantec's 2010 report.
In addition to struggling with the basics, many small businesses are
failing to keep up with the increasing adoption of mobile and social
media platforms. Just 37 percent of U.S. small businesses have an
employee policy or guidelines in place for remote use of company
information on mobile devices and just over one in three (36 percent)
maintains a policy for employees' use of social media.
Experts say that strong password protections, protecting USB devices
and wireless networks matter to a firm's security posture. Yet, a
majority of firms (59 percent) do not use multifactor authentication
(more than a password and log-on) to access any of their networks. Only
half reported they completely wipe data off their machines before they
dispose of them, and 21 percent never do.
Nathan Eddy is Associate Editor, Midmarket, at eWEEK.com. Before joining eWEEK.com, Nate was a writer with ChannelWeb and he served as an editor at FierceMarkets. He is a graduate of the Medill School of Journalism at Northwestern University.