Small businesses (SMBs) are increasingly becoming the target of cyber criminal operations, as most do not have the resources or expertise at their disposal to protect proprietary information and client data, yet the majority of small businesses in the U.S. are under the assumption they are protected from cybersecurity threats, according to new research.
The National Cyber Security Alliance’s 2012 National Small Business Study surveyed 1,015 companies with less than 250 employees and reveals that while 77% of SMBs believe they currently have effective safeguards to protect their systems from hackers and malware, 83% acknowledge that they have no formal cybersecurity policies or contingency plans in place to deal with a data loss event.
The study was prepared by the NCSA as part of National Cyber Security Awareness Month in an effort to bring greater awareness to the risks from a data breach or an interruption in business continuity faced by SMBs, many of whom falsely believe they are either immune to widespread threats or are simply to small to be a target.
“Interestingly, the findings are at first glance both contradictory and reassuringly consistent,” security expert Danny Lieberman told Security Bistro.
“SMB owners are no different from other businesses who are under conditions of risk. The attitude revealed in the study is predicted by the Prospect Theory which describes a general pattern among executives related to the risk of data loss by simply ignoring it. Here we see that it is the relative position of the business and not the absolute value of the assets when contrasting the psychology of a CEO of bank with $50M at risk who fees secure compared to a small business owner with $5000 at risk feeling secure,” Lieberman said.
The result is that many small business leaders believe they are at less risk of exposure because they feel they are less attractive targets for cybercriminals than their larger counterparts, regardless of trends to the contrary.
The notion that SMBs are operating under a false sense of security is backed up by the study’s findings which revealed that 66% of SMBs “are not concerned about cyber threats”, and that 86% of respondents stated that they are “satisfied with the amount of security they provide to protect customer or employee data” even though 87% surveyed “do not have a formal written Internet security policy.”
The study also revealed that newer companies are more likely to take data security seriously, with those established after 2008 being 20 percent more likely to have policies in place to address data loss vulnerabilities.
The NCSA urges small businesses to proactively address risks by implementing strategic data classification measures, developing incident response plans, and increasing employee awareness efforts regarding the use of strong passwords and exercising caution in the use of social media.
“We want U.S. small businesses to understand they cannot completely remain safe from cyber threats if they do not take the necessary precautions. A data breach or hacking incident can really harm SMBs and unfortunately lead to a lack of trust from consumers, partners and suppliers. Small businesses must make plans to protect their businesses from cyber threats and help employees stay safe online,” said executive director of the National Cyber Security Alliance Michael Kaiser.