Report: SMBs Lack Sufficient Security Standards

A survey of small to midsize businesses conducted by security firm Symantec found that while SMBs are familiar with cyber-risks and have clearly defined goals for security and storage, a surprisingly high number have yet to take even the most basic steps toward protecting their businesses, such as implementing anti-virus or backing up their data.

The study is based on surveys of 1,425 small and medium businesses in 17 countries during the first quarter of 2009.

The research shows that SMBs understand the importance of security. While they do rate viruses as their top security worry, more than 70 percent also say they are somewhat or extremely concerned about spam and data breaches. Respondents also report that protecting their information, network and servers are their top goals (mentioned as somewhat or extremely important by at least 94 percent).

"Many small and midsized businesses are at a crossroads-aware of the need to strengthen their IT security infrastructure but unsure how to do so with limited resources," said Symantec's senior director of product marketing, Kevin Murray. "As with their enterprise counterparts, security threats to small and midsized businesses are increasing in complexity, number and frequency, and the volume of information they must protect and maintain continues to expand."

Despite understanding the security risks they face, the study found a large number of SMBs are neglecting basic safeguards. For example, three of five (59 percent) have not implemented endpoint protection (software that protects "endpoints" such as laptops, desktops and servers against malware). Forty-two percent of SMBs do not have an anti-spam solution. Almost half do not back up their desktop PCs, leaving their important information at risk. Finally, one-third of SMBs do not have the most basic protection of all-anti-virus protection.

Ray Boggs, vice president of SMB research at IDC, says midmarket companies know better, but they are too often focused on business opportunities outside the company to pay attention to the risks they are taking right at home. "SMBs operate in a world full of risk, but many are taking unnecessary chances by failing to secure their data the way they should," he said.

Staffing and budget are two key factors driving the SMB security gap. Forty-two percent of SMBs don't have a dedicated IT staff. The leading barrier to security cited by SMBs was a lack of employee skills (41 percent). SMBs also mention a lack of awareness of current threats (33 percent) and lack of time (28 percent) as major barriers. The survey also found insufficient budgets to be a factor-the median IT security budget was just $4,500 per year.

In addition, the survey revealed that when SMBs do suffer IT loss, it is likely to be in an area where basic protection measures could have prevented loss. For example, the leading cause of loss reported by SMBs was "system breakdown or hardware failure." Symantec suggests installing desktop and server backup solutions as a simple form of protection against losses from such a problem.