‘It won’t happen to us’ is SMB’s attitude toward security

The optimism bias, the belief that bad things only happen to other people, seems to be alive and kicking within UK small- and medium-sized businesses (SMBs). That is the disturbing conclusion that can be drawn from a new report published today.

That belief flies in the face of reality according to the new survey undertaken by the Ponemon Institute and commissioned by Faronics. Fifty-four percent of the respondents have experienced at least one data breach in the last year; and almost one in five have suffered more than four. But what worries Faronics is that the remaining 46% of SMBs seem to demonstrate a real lack of awareness of the financial and long-term damage that a breach can have on a company.

One of the problems, Faronics’ VP of product management, Dmitry Shesterin, told Infosecurity is that “SMBs have a huge perception gap. People don’t usually pay attention until its too late and they have to pay the consequence – which is the core finding of the research in the UK.” Shesterin partially blames it on what he calls the FUD (fear, uncertainty and doubt) marketing of the security industry: users get astronomical figures on the cost of cybercrime from all sides, “and people just don’t believe it.” SMBs have difficulty rationalizing the warnings of £1 million cost for a single breach when their turnover is not much greater than that. But the research shows, he added, that breaches happen everywhere, “and it’s just a matter of time before it happens.”

What is surprising, he noted, is that despite (or possibly because of) all this FUD marketing, many of the SMBs don’t even use anti-virus software, which has been the first line of basic security for decades. FUD, it would seem, has had a negative effect: numbing SMBs against security precautions “and opening them up to attacks.”

Traditionally there are three reasons for the lack of security within SMBs: cost (security systems are too expensive to justify); capability (SMBs simply don’t have specialist infosecurity staff); and availability (most security systems target larger corporates rather than smaller SMBs). But, “the main reason I see,” suggested Shesterin, “genuinely and honestly, they do not care – they concentrate on business. The first thing that really jumps at me is that the SMB’s modus operandi for security is that it simply wants to be faster than the slowest person running from the bear.” So long as an SMB has minimal security, the attackers will go for the company with less security. “IT security is a necessary evil that needs to be done, but as cheaply and unobtrusively as possible – and primarily for regulatory reasons.”

A second problem that concerns Shesterin is that within SMBs it is not the IT department – nor any particular security understanding – that drives the security posture. “IT departments usually do security to get their CEO or CFO off their back. It’s not their own priority – they just do what they’re told. And they’re often told what to do because the business owner went to a trade show or has been talking to someone who is doing something and decides he should do it as well.” The implication is that what little security is done by SMBs is not necessarily the best security available.

The fact remains, however, that despite this head-in-the-sand approach by many SMBs, those same companies will be breached sooner or later – and possibly very soon. While disbelieving the FUD of some companies, SMBs are also ignoring the genuine costs of a security breach. The Ponemon research showed that the average cost of a breach to the SMB is nearly £150,000, and that it takes more than nine months to get back to normal.

“There really is no room for nonchalance when it comes to security strategies and it is completely irresponsible to assume the repercussions will be anything less than they are,” continued Shesterin. “Organizations need to know exactly what is at stake in order to readdress existing security practices and ensure they are as well protected as they can be.”



This article originally posted on http://www.infosecurity-magazine.com

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings