A new study from Symantec finds that while small and midsize businesses are acutely aware of today’s security risks, a large number have yet to take even the basic steps needed to protect themselves. Further, the study shows that simple protection measures could have prevented many of the security breaches
reported by these companies.
According to the study, based on surveys of 1,425 SMBs worldwide (defined as companies with 10 to 500 employees) in the first quarter of 2009, the lack of a dedicated
IT staff and tight budgets were the main reasons for the lack of action. Respondents also cited a lack of employee skills as a top barrier to security.
The study finds that SMBs have no illusions about today’s risks. Asked how concerned they were about a wide range of security issues, from spam to data breaches to insider attacks, respondents consistently described themselves as “extremely” or “somewhat” concerned.
So what does it mean to say that SMBs have yet to take the basic steps to protect themselves? According to the study:
- 59% of respondents said they have no endpoint protection (i.e., software that combines antivirus with advanced threat protection technologies such as desktop firewall and intrusion prevention for laptops, desktops, and servers).
- 47% do not back up their desktop PCs, leaving their important information at risk.
- 33% lack even basic antivirus protection.
What were the leading causes of the security breaches that these SMBs experienced? The reasons most frequently cited were:
- system failure
- a lost or stolen laptop, smartphone, or PDA
- human error
- the loss or theft of backup tapes or devices containing sensitive data
- the use of improper or out-of-date security solutions.
Looking ahead, half of the respondents said they plan to increase their IT security and storage spending in the next 12 months even in these tough economic times, while 41% said their budgets would remain the same.
What we find with a good number of our clients is the unwillingness to do anything different. They have the same level of network security they had 10 years ago because they haven’t made any changes in the way they think about network security.
They don’t want to remember a password other than the one they have used for 10 years. Sometimes, they don’t want to type in a password at all. I am often asked “Can you just make it so that I don’t have a password?”
They don’t want to force everyone to store their data on the server. They don’t want to limit access to social media websites. They don’t want to stop music and picture downloads. They don’t have a problem with ipods being downloaded to desktops, etc.
I have never seen employees with so many liberties with their employers computer systems and network.
The other half of the equation is always budget. Unfortunately it costs a little to be safe and secure. Actually, it cost each month to be safe and secure. Network security is not a one time purchase, because the enemy is constantly evolving, and improving their tactics.
We invest in locks, safety deposit boxes, alarm systems, and surveillance systems, but we have trouble investing in network security. We send our employees to safety training classes to keep them safe, but we will not invest in keeping our employees and customers data safe.
So why the aversion to network security? It is actually very cheap (compared to a security recovery attempt)
Network security is not as expensive as it may sound. Sure, there are high end military grade security measures, but you don’t have the budget for that. We understand, as an SMB ourselves, we don’t have the budget for that either.
Our goal is to get our clients on a plan to be more secure, each yearly budget at a time. We don’t expect a network security budget of $500 a month, just a modest $150 or so to acquire a few new tools and new technology to help keep the network safe.
What can you possibly do for $150 a month?
Glad you asked. For $150 a month you can get a gateway security appliance that scans for viruses, spyware, spam, intrusions, and other nasties. This level of protection is now a necessity for any business network. It is no longer sufficient to protect each computer individually. We need entire network protection as well.
The gateway security appliance sits right between your modem and your router. It scans all incoming and outgoing traffic and blocks the bad stuff. (Not to get too technical). It also has reports about web traffic for each users or workstation on the network. We can see who is working, and who is playing on Facebook. We can see who downloads the most music, and see who wastes time on non work websites. We can even do fancy things like give each user a splash page reminding them of the companies network policy each day or each week. We can even force them to “agree” before they can get online.
Want your companies network to be safe? Then you have to invest in the tools to be safe. The investment in network security is much less than the cost of disaster recovery.
We still pick up new clients without a basic firewall/router from time to time. Sometimes nobody ever told them how exposed they were, but most time they know how exposed they are and think ” It wont happen to me”