A surprisingly large number of small and midsize businesses appear to be either blissfully unaware of or uncaring about the online security threats they face, according to a survey conducted by security vendor McAfee.
In report about the telephone survey of officials from 500 U.S. and Canadian companies with fewer than 1,000 employees each, McAfee said that nearly 45 percent of the respondents didn't see their businesses as being valuable targets for cybercriminals, while more than half felt their organizations simply weren't well-known enough to attract the attention of attackers. About 35 percent admitted to not being concerned about cybercrime even though another 20 percent said their companies had been victimized by online crime, and almost one-third of the latter group said they had been attacked at least four times over the past three years.
Perhaps the most surprising finding was that nearly 20 percent of the surveyed companies said they had no security protections at all in place against online threats. Yet 90 percent said they relied heavily on the Internet for their business, noted Darrell Rodenbaugh, senior vice president of McAfee's midmarket business unit.
Many SMBs "think cybercrime is an issue for larger companies," Rodenbaugh said. "They think larger companies make better targets because that's where the money is." But the reality is quite the opposite, he added.
"Our information says that cybercriminals prefer smaller organizations because they are more easily attacked," Rodenbaugh said. That's because smaller companies often have far less manpower and financial resources to invest in IT security than their larger counterparts do.
On average, smaller companies employ just one to two full-time workers to handle all of their IT functions, according to Rodenbaugh. So it isn't surprising, he said, that many SMBs don't have anyone dedicated to information security, or that they devote at most an hour per week to security efforts. And often, companies that think they have sufficient protections really don't, Rodenbaugh said. For instance, roughly half of the respondents who felt their companies had adequate security controls told McAfee that they trusted the default settings on their IT equipment.
For the most part, McAfee's findings are an accurate reflection of attitudes toward IT security in the SMB market, said Adam Hils, an analyst at consulting firm Gartner. He agreed that many small and midsize companies which Gartner considers to be those with between 20 and 1,000 employees indeed don't think of themselves as likely targets of cyberattacks.
The situation is both the result of a lack of awareness and "a desire to not have to spend on security until you have to," Hils said. "It's easy to convince yourself of something if that's what you want to believe." But like Rodenbaugh, he said that in actuality, SMBs are more likely to be targets of cybercriminals because their systems increasingly are seen as being easier to break into than the ones at larger companies are.
Hils said that as a percentage of their IT budgets, SMBs do tend to spend more on security than larger companies do typically, 5 percent to 10 percent, as opposed to between 3 percent and 6 percent at bigger businesses. Even so, he added, the actual dollar amounts that small and midsize companies invest in security often aren't enough to keep them secure. "Most of the time, they're playing catch-up," Hils said.
According to Hils, SMBs usually spend most of their security budgets on antivirus and firewall tools, while focusing less on equally important technologies like intrusion detection and identity management systems. SMBs also tend to prefer working with just one or two security vendors, from which they expect products that address a wide range of threats, he said. That's one of the reasons why so-called unified threat management, or UTM, technologies have been gaining so much attention among midmarket companies.