CIOIN

Do small to midsize businesses (SMBs) think they’re somehow immune to security threats? It sure seems like it. 

If that sounds like Asterix, that’s the impression you could get from the results of a Symantec global survey that asked 1,900 SMB professionals responsible for IT what they know about security threats and how their companies prepare for them. 

While about half of all SMB managers who took the survey exhibited knowledge of threats such as keystroke logging, distributed denial of service (DDoS) attacks, website vulnerabilities and targeted attacks, exactly half—yes, a full 50 percent—indicated that they need not be concern about any of it. “We are a small business and are not targets for these types of attacks,” seemed to be the consensus.

“They’re saying these things happen to other people, not them,” said Kevin Haley, director of Symantec security response, who admitted that he was surprised by some of the results of the SMB Threat Awareness Poll, which defines the SMB as between 5 and 499 employees in size.

Symantec, which sponsored the poll conducted by Applied Research, wanted to get a sense of how SMBs across the world and in many industries viewed security and how they combatted specific threats.

Here’s what they found: While their understanding of risks was apparent, much of the time SMBs saw their organizations as somehow exempt from actual attacks, which they view as a problem mainly for big corporations. They didn’t spend much time preparing for potential problems.

“Only 39 percent use anti-virus on every desktop,” Haley noted. “That’s striking right there.” He said malware, such as the banking Trojans used in cybercrime to compromise computers to make unauthorized funds transfers, are hitting smaller businesses. But SMBs see the news headlines that show the Stuxnet worm hitting nation states and hactivist group Anonymous striking large companies, and they think, “That’s not me, I don’t need to worry about any of this.” They also don’t worry much about smartphones used in business being lost or stolen.

Or take this for example: Only 20 percent think that a targeted attack would drive customers away, 36 percent believe that hackers could gain access to proprietary information, and only 46 percent say that a targeted attack could cause revenue losses.  

Other startling results of the survey show that only 67 percent of the SMBs bothered to establish login and password restrictions for online banking purposes, and 63 percent didn’t lock down machines used in corporate banking.

SMBs vary widely in terms of the levels of expertise about security, Haley said, noting sometimes the individual in charge of security is also the person in charge of the phones. Sometimes it’s the business owner running the IT operations and security.

The IT security industry in general has long been subject to hand-wringing over SMBs, fretting about how to build products specialized to suit smaller businesses sensitive to price points. Setting up hardware and management have been particular barriers where IT departments may be small, too. But the tide may be starting to turn with the advent of cloud-based security services, which typically alleviate the need for on-premises equipment, becoming more ubiquitous. Indeed, Gartner recently predicted that SMBs would be a big contributor to the growth of security services market over the next three years.