SMBs Are Sitting Ducks for Cyber-Crime

A Webroot report says SMBs are a big chunk of the economy, have minimal IT staffs and don't understand the dangers.

Hows this for a cyber-crime target: In most industrialized countries, SMBs make up 97 to 99 percent of all companies. Yet most of those small to midsize businesses have tiny IT groups, and most of those IT groups dont have security expertise—heck, they dont even have security policies to manage employees personal use of work computers.

Those grim facts come from an Oct. 16 survey out of Webroot Software. For its latest quarterly State of Internet Security report, Webroot surveyed companies with five to 999 computers in six countries: Canada, France, Germany, Japan, the United Kingdom and the United States.

"SMB" is a fuzzy term. Each country has a slightly different definition of what constitutes a small or medium-size business. In some countries, an SMB has fewer than 1,000 employees, in some its sub-500, and in others its fewer than 100, according to Webroot. However, in general, companies with fewer than 1,000 employees form a large chunk of many countries economy. In the United States, companies with fewer than 500 employees account for half of all private-sector workers, and SMBs produce half of the private, non-farm GDP (gross domestic product), the Boulder, Colo., company said. In the United Kingdom, SMBs account for almost 60 percent of all employment.

Webroot CEO Peter Watkins told eWEEK that SMBs are getting hit hard by cyber-crime—unsurprising, given the scant IT coverage they have in-house. "When you look at some individual statistics about the number of people they have devoted to areas like IT, its amazingly small," he said. "[Thirty-one percent] of small businesses have two to three people or less devoted to IT."

Were not talking dry-cleaning shops or bodegas that have no real reason to be online, either. Webroot found that some 50 percent of SMBs engage in some kind of online payment transaction.

"Given that so many [SMBs] are online and dependent on the Internet, they face many of the same threats as the very largest organizations do. Theyre basically unprotected. Employee data, credit card transactions—theyre extremely valuable, and far more likely [to be stolen from SMBs] because you dont have the resources larger organizations do to devote to this," Watkins said.


A Consumer Reports study finds cyber-crime has cost U.S. consumers more than $7 billion during the last two years. Click here to read more.

Despite their dependence on their online presence, and given the nature of attacks being made against them, SMBs have potentially dangerous misperceptions of what their vulnerabilities are.

Most SMBs rate viruses as being of particular concern, Webroot found. However, SMBs are at greater risk from spyware and Trojans. While these two classes of malware are among the most highly reported infections in Webroots survey, fewer than 50 percent of respondents consider spyware a very or extremely serious threat.

Spyware may appear to be little more than a nuisance, but in reality its a vector for stealthy malware implanting. Those who click ads in spam or even preview spam e-mail put themselves at risk of downloading spyware. Phishing can result in the theft of personal information such as credit cards, bank account numbers, PINs or Social Security numbers.

In its report, Webroot points to the 2006 Annual Report of the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center. According to that report, of all the fraudulent acts reported in 2006, 73.9 percent used e-mail as the mechanism of contact, and 36 percent used a Web page.

SMBs are worrying about the wrong things, Webroot maintains. The survey found that some 80 percent of U.S. SMBs rate employee errors, insider sabotage or data theft as very or extremely serious threats, yet 40 to 60 percent lack a policy or technology to restrict or monitor employees personal use of work computers.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.