Reading between the lines - small business security

“Small and midsized businesses (SMBs) have a reputation of being somewhat lax when it comes to information protection… That’s why the Symantec 2010 SMB Information Protection Survey is so surprising. It turns out that in the last 15 months, SMBs have become extremely aware of and focused on information protection.”

So opens the latest research report from Symantec. It’s one I find a little hard to accept because many claims simply don’t ring true. The interpretation of statistics is also unconvincing, to say the least, as a claim that 42% of businesses have lost confidential or proprietary information in the past is immediately followed by a pie chart which shows that two thirds have not.

When I read on, I find that around a third of SMBs claim to be extremely skilled in computer security and that they spend more money on security, back-up and DR than on general computing. They also lose on average two dozen laptops a year, and experience hundreds of individual security incidents each year, yet most claim never to have lost any confidential or proprietary data. Around half don’t have a written DR plan, yet more than half claim to test it at least twice a year.

Is this really typical of small and midsized businesses?

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

>Is this really typical of small and midsized businesses? No, it't typical of security vendor marketing blurb parading as surveys. Most SMBs I know of are far too busy working hard on their core business to be concerned about IT, let alone infosec. They often don't even have IT professionals on the team, relying on IT vendors to supply and maintain their equipment and software. They don't see IT as a source of competitive advantage, so much as a pain in the butt - something that is too complicated, too difficult, too unreliable and generally too much like hard work when there are simpler and more important things to worry about, such as cash flow and profit. It's a different world to Shell & the Post Office. In SBMs, the few employees have to be jack of all trades and master of some. They mostly "get by" and "get on with it". Many have a hand-to-mouth existence, deliberately living on a subsistence income in order to pump all spare resources back into growing the business, creating a brand and finding their Unique Selling Points. Some are struggling or failing businesses who can barely make ends meet and worry about liabilities and tax. Information security seems unlikely to hit their radar screens, except maybe (hopefully!) for the most basic level of antivirus, firewalls and backups. Patching is likely to be a nice-to-have. Contingency planning likewise. I must admit I'm in a glass house, being an SMB owner with many of these failings, despite being in the infosec business. Must stop chucking stones and go fix things ... Kind regards, Gary PS Thanks for writing "Managing the Human Factor" David - a great source of inspiration for our latest security awareness module.