SMBs Aware of Security Risks but Fail to Adequately Protect Data

SMBs understand security risks but most have not enacted basic safeguards

• 04/13/2009

Symantec has released the findings of its 2009 Storage and Security in SMBs survey. The study found that although SMBs are familiar with cyber risks and have clearly defined goals for security and storage, a surprisingly high number have yet to take even the most basic steps towards protecting their businesses, such as implementing antivirus or backing up their data. The study is based on surveys of 1,425 small and medium businesses in 17 countries during the first quarter of 2009.

The research shows that SMBs clearly understand the importance of security. Although they do rate viruses as their top security worry, more than 70 percent also say they are somewhat/extremely concerned about spam and data breaches. Respondents also report that protecting their information, network, and servers are their top goals (mentioned as somewhat/extremely important by at least 94 percent).

"Many small and midsized businesses are at a crossroads -- aware of the need to strengthen their IT security infrastructure but unsure how to do so with limited resources," said Kevin Murray, senior director, product marketing, Symantec. "As with their enterprise counterparts, security threats to small and midsized businesses are increasing in complexity, number, and frequency, and the volume of information they must protect and maintain continues to expand."

SMB Security Gap

Despite understanding the security risks they face, a surprising number of SMBs are neglecting basic safeguards. For example, three of five (59 percent) have not implemented endpoint protection (software that protects "end points" such as laptops, desktops, and servers against malware). Forty-two percent of SMBs do not have an anti-spam solution. Almost half do not back up their desktop PCs, leaving their important information at risk. Finally, one-third of SMBs do not have the most basic protection of all – anti-virus protection.

"Of course, SMBs know better, but they are too often focused on business opportunities outside the company to pay attention to the risks they are taking right at home," said Ray Boggs, vice president of SMB research at IDC. "SMBs operate in a world full of risk, but many are taking unnecessary chances by failing to secure their data the way they should."

According to the study, when SMBs do suffer IT loss, it is likely to be in an area where basic protection measures could have prevented loss. For example, the leading cause of loss reported by SMBs was "system breakdown or hardware failure." Installing desktop and server backup solutions is an easy task and would have provided excellent protection against losses from such a problem.

Staffing and Budget Driving the Gap

The study reveals that staffing and budget are two key factors driving the SMB security gap. Forty-two percent of SMBs don't have a dedicated IT staff -- they either have no one managing their computers or they use staff members who have other jobs. In fact, the leading barrier to security cited by SMBs was a lack of employee skills (41 percent). SMBs also mention a lack of awareness of current threats (33 percent) and lack of time (28 percent) as chief barriers. Insufficient budgets are also a factor. The median IT security budget was just $4,500 per year.

In a sign that things may be improving, SMBs reported that IT budgets are trending upward. Fifty percent of respondents state they plan to increase IT security and storage spending in the next 12 months. Increasing IT security spending in a major recession is a strong sign that SMBs value IT security.

Symantec's survey was conducted in February 2009 by Applied Research. The study targeted 1,425 small and medium sized businesses (10-500 employees) located in 17 countries around the globe. There were 200 respondents in the United States. Worldwide the survey has a 95 percent confidence level with a margin of error of 2.6 percent.