Small Companies Lax About Computer Security, Report Finds

Some small and medium-size businesses don't seem that concerned about potential hacks

Large companies are valuable targets for cyber criminals, but what about the small fry? Software security firm McAfee took a gauge of opinions, finding that some small and medium-size businesses don't seem that concerned about potential hacks. At least that's what its recent survey suggested.

The results were collected from telephone interviews of officials at small companies, which were defined as having less than 1,000 employees. McAfee surveyed at least 500 respondents at U.S. and Canadian firms.

The report said that 45 percent of those surveyed didn't think their enterprise environment was threatened by cybercriminals. What's more, at least 250 of the IT pros who picked up the horn and answered McAfee's survey questions believed their company didn't have the big brand name to attract hackers.

"For businesses of all sizes, viruses, hacker intrusions, spyware and spam can lead to lost or stolen data, computer downtime, decreased productivity, compliance issues, lost sales and even loss of reputation," stated Darrell Rodenbaugh, senior vice president of the mid-market segment at McAfee in a press release accompanying the report. "Just because a business is small does not mean it is immune to security threats."

The report added that 35 percent of respondents weren't even concerned about attacks, but about 34 percent said they'd been attacked at least four times in the past three years.

Defining Security

Every other week, month, or quarter, the reports pile up, chronicling inside jobs, the proliferation of malware and a general apathy among many IT managers and staffers toward computer security. Critics of such reports might say that they come from vested interests that just publish alarming numbers to sell security solutions.

Not so, says Christian Phillips, head of security for the Regulus Group, a remittance and general business-process outsourcing company for several Fortune 500 companies. He added that many of these studies have demonstrated a noticeable pattern.

"Security is job one when you're defining a business strategy," Phillips said. "It's not just a reactionary tactic or something to get proactive about when there are threats, but a necessity."

When a peer company is attacked, it's an "issue." However, when your enterprise is attacked, it's a "problem," security experts say.

Threats of All Kinds

New threats emerge every day. Just last week, commercial air carriers Delta and Northwest warned customers about bogus e-mails posing as airline ticket invoices, which might contain malicious code, spyware and malware. The airline urged potential customers and anyone getting such spam to delete the messages without opening them.

Craig Schmugar, a researcher at McAfee, confirmed the threat in the software company's blog. The e-mails are said to look like authentic correspondence from the airlines and even provide a screen that looks like a log-in interface asking for a username and password. The message typically says that the user's credit card has been charged by an amount, usually in the $400 range. There is even an attachment claiming to be the invoice for the ticket and credit card charge.

With larger DNS threats in the offing, taking control of security measures makes sense, according to Andrew Storms, director of security at San Francisco-based nCircle.

"For those of us who breathe infosec everyday, it's a no brainer to devote resources into the remediation and risk-reduction strategies surrounding threats," Storms said. "It should be a no brainer to people in IT circles everywhere and outside of IT at the executive level."

If you have a computer and it processes critical information, "secure your network, period," Storms added.

-- Jabulani Leffall