Small Businesses Fail to Address Security Threats: Ponemon

Forty-two percent of respondents said their organization had experienced a cyber-attack in the past 12 months.

Senior management in small and midsize business (SMBs) is failing to prioritize cyber-security, which is preventing them from establishing a strong IT security posture, potentially putting their organizations at risk because of uncertainty about the state of their security and threats faced from cyber-attacks.

The global survey from the Ponemon Institute and security firm Sophos found IT infrastructure and asset security incidences, as well as wider security related disruptions, have cost SMBs a combined average of $1,608,111 over the past 12 months.

Despite this, of the 2,000 respondents surveyed in the United States, United Kingdom, Germany and Asia-Pacific (Australia, India, China and Singapore), 58 percent confirmed that management does not see cyber-attacks as a significant risk to their business.

"The scale of cyber-attack threats is growing every single day," Gerhard Eschelbeck, CTO for Sophos, said in a statement. "Yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture."

More worrying is the revelation that one-third of respondents said they were not certain if a cyber-attack has occurred in the past 12 months. Forty-two percent of respondents said their organization had experienced a cyber-attack in the past 12 months.

According to the research, there are three main challenges preventing the adoption of a strong security posture, including failure to prioritize security (44 percent), insufficient budget (42 percent) and a lack of in-house expertise (33 percent).

"Today in SMBs, the CIO is often the 'only information officer,' managing multiple and increasingly complex responsibilities within the business," Eschelbeck said. "However, these 'OIOs' can’t do everything on their own and as employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat."

Respondents in more senior positions had the most uncertainty about the threats to their organizations, indicating that the more removed the individual is from dealing on a daily basis with security threats, the less informed they are about the seriousness of the situation and the need to make it a priority.

"Small and midsize organizations simply cannot afford to disregard security," Larry Ponemon, president of the Ponemon Institute, said in a statement. "Without it there’s more chance that new technology will face cyber-attacks, which is likely to cost the business substantial amounts. CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security. The industry needs to recognize the potential dangers of not taking cyber-security seriously and create support systems to improve SMB security postures."

More than three-quarters (77 percent) of respondents said the use of cloud applications and IT infrastructure services will increase or stay the same over the next year, yet a quarter of those surveyed indicated they did not know if this was likely to impact security.