Over half of medium-sized firms that do business on the internet lack even basic online security measures, according to the Confederation of British Industry.
The shock finding has prompted the CBI to launch Securing Value in the Online World, a security guide for small and medium-sized businesses to help enable them to protect their networks from online attacks.
The CBI said medium-sized firms were not only leaving themselves vulnerable to online attacks but putting other businesses in the supply chain at risk.
A recent CBI survey found that 60% of medium-sized firms engaged with their suppliers, partners or clients online. But over half (52%) of these firms had no online security planning in place, to address threats and deal with actual attacks.
The CBI said small firms fared little better, but pointed out that as medium-sized companies were more likely to integrate their systems with large firms, as well as trade with smaller ones, medium-sized firms are a major potential security threat to the supply chain.
The CBI guide includes advice on how to deal with online attacks, viruses and cybercrime in the supply chain.
The publication is supported by the DTI and Ernst & Young. John Cridland, CBI deputy director-general, said, "The internet is a business opportunity that many firms are seizing with both hands. So, it is a serious concern that so many medium-sized firms are leaving themselves and others open to online attack and abuse.”
He said, “These firms account for over half of UK company turnover and are large enough to win contracts with big business. But large firms expect to be able to do their online business securely.”
Cridland said that while medium-sized firms cannot afford extensive IT systems, there were straightforward measures firms could take to protect themselves and their customers.
Consisting of easy-to-use modules and toolkits, the guide shows companies examples of how to address real-life problems.
These include disruption to company systems and networks, theft of business information, hacking, spam e-mails, phishing attacks and illicit use of company systems.