Cracks in UK small business security

 Print E-mail
Written by Catherine Murray   
Thursday, 07 August 2008

Symantec survey reveals fundamental flaws in small businesses’ attitudes to security.

Symantec Corp (Nasdaq: SYMC) has released pan-European research into small businesses’ attitudes to security. It reveals fundamental flaws and lapses across the board, despite an appearance of companies being security-conscious.

The survey reveals that British small businesses are among the most vulnerable, with 25 percent of UK respondents admitting that a recent security breach resulted in a tangible loss of business, and 13 percent citing a monetary loss as well.

These are higher figures than the European averages of 17 and eight percent respectively, and are an alarming statistic bearing in mind that the SMB market accounts for 47.1% of UK employment and 37.2% of turnover.

The research was conducted among 874 respondents in nine countries across Europe. The results show that while many are aware of ’common’ threats such as viruses (93 percent), spam (91 percent), spyware, worms and trojans (82 percent), significant numbers of respondents have inadequate measures in place to tackle potential security breaches caused by newer threats.

Emerging security threats such as "minnowing" and "whaling" are still unfamiliar to many small businesses, with 67 percent of UK respondents stating they were unfamiliar with the concept of minnowing, and 65 percent unfamiliar with whaling.

Symantec’s Guy Bunker explains minnowing and whaling in his security blog. Minnowing is a form of phishing at the lower end of the organization. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill.

Whaling is the opposite of minnowing, and is a form of phishing that is aimed specifically at senior company professionals at the top end of the organisation. Other new threats include botnets, rootkits, and pharming – a full list of definitions is available here .

The survey also shows that despite wide-scale educational efforts by the security industry, employees in British small businesses still do not realise that everyone within the company must take responsibility for ensuring a secure IT environment.

Results show that 43 percent thought that it is the sole duty of the IT Manager and 34 percent put this responsibility at the feet of the Managing Director, and did not take any initiative to remain vigilant.

When questioned on how the company sources its IT security solutions, only 41 percent of UK small businesses said they used a dedicated outsourced IT specialist company to manage this.

John Brigden, senior vice president at Symantec points out that businesses rarely proactively deploy the correct infrastructure to cope with the changing threat landscape.

“Antivirus software and firewalls are vital foundations but, alone, aren’t enough to protect a business properly. Without comprehensive protection, small businesses can find themselves at significant risk,” Brigden says.

“With system downtime and loss of information being among the biggest threats to a business’s brand, customer loyalty and ultimately revenue generation, it is imperative that small businesses realise that simple and cost effective IT security can ensure they withstand even the most determined attempt to breach a company’s security,” he adds.

Mike Cherry, Home Affairs Chairman for the Federation of Small Businesses comments further, saying, “A security breach in any form, and on any scale, can impact a small business hugely, and the higher the awareness is of the need to protect against these threats, the safer the flourishing UK small business sector will be. Small businesses need to recognize that the information they hold about customers and partners is as valuable as any other asset ...”

A further concern to business owners across the UK is the reported 31 percent of respondents for whom mistakes by employees caused the system crash or information loss. Thirteen percent admitted this financially impacted their business.

“The reasons behind the lack of preparation were highlighted again when respondents were asked about the frequency with which they update the company’s IT security,” says Bridgen.

He reports that while 42 percent do so daily, 15 percent do it weekly and six percent monthly. Fortunately only three percent update yearly and none of the British respondents did so only when the business was attacked, as opposed to the European figure of nine percent.

When questioned about the risks posed by modern IT systems and infrastructure, it was security with wireless infrastructure that kept IT managers most awake at night, with 72 percent admitting this was their prime cause of concern, followed by security with mobile phones (37 percent) and security with IP Telephony (26 percent).

The primary findings of Symantec's research are summarised below:

The cause

  • 85% of respondents say understand the common threats of viruses, spam, trojans, spyware and worms, but...
  • Alarmingly 33% aren’t so aware of newer threats such botnets, rootkits, pharming, whaling and minnowing
  • This is reflected in the fact that most have antivirus (97%) software and firewalls (93%)
  • Nearly one in three (29%) have no back-up and recovery, 65% have no encryption and 72% no vulnerability tools.
  • 24% of respondents admitted that their security solutions did not cover all employees
  • Two thirds of businesses with fewer than 100 employees have no dedicated IT Manager
  • Less that half (47%) felt they had a secure environment in the business
  • 26% didn’t think it mattered as they had never suffered from a major attack

 
The effect

  • Almost a quarter (22%) had experienced an attack in the last year that had resulted in them losing data
  • 41% of those who had experienced an attack blamed system breakdowns and security breaches, and 34% on employee mistakes
  • 17% have experienced loss of business as a result of an IT attack
  • 35% claim that new employees are not given instruction on company security policy
  • 25% have no IT policy in place at all

 
The obstacles

  • 23% claimed that money was an obstacle in creating a more secure environment
  • 15% claimed security wasn’t deemed a priority for management, although 32 percent think the Managing Director is responsible for ensuring the company is securely protected
  • A third (32%) claimed  lack of time and sufficient knowledge was compromising their security

 

Share this: Digg It! digg   Post to del.icio.us del.ico.us   Seed in Newsvine Newsvine   Post to reddit Reddit   Post to Furl Furl   Post to Technorati technorati   Facebook
Comments (1)Add Comment
...
Posted by Scott Wright, 14 August 2008
Excellent article! It validates most of the assumptions and research I have been working on that indicate small businesses are among the most vulnerable, and least able to deal with these risks, due to lack of resources dedicated to IT (let alone IT Security).

I have linked to this article from the "statistics" forum on my website - The Streetwise Security Zone at http://www.streetwise-security-zone.com - where small business managers collaborate and learn to improve their security, using limited budgets.

Post a comment
quote
bold
italicize
underline
strike
url
image
quote
quote
By posting on this website you are agreeing to abide by our website comment policy and all posts are subject to the approval of the website editor. We will remove posts that contain offensive or threatening language, personal attacks on the writer or other posters, posts that are off topic and posts that are considered spam or specifically used to promote any commercial products or services. Any poster who repeatedly contravenes the policy will be banned from posting on the website.

busy
 

Finance

Technology

Management

Sales and Marketing

Economy