The Symantec SMB Information Protection Survey is based on interviews with 2,152 small- and medium-sized businesses (SMBs) in 28 countries employing between 10 and 499 people. One of the survey's main conclusions is that information security has become a much higher priority since a similar survey was done a year ago. The poll included 360 businesses from Europe, 53 of which were from the U.K.
The survey found that SMBs in Europe are now taking information security and cybercrime protection more seriously, with 67% citing data loss as an important risk to their organisation, and 60% citing cyberattacks, compared to only 24% for natural disasters.
While this represents an increase in information security awareness from the 2009 findings, when a third of companies did not have antivirus protection, the survey still exposes some clear vulnerabilities. For example, in Europe, only 28% password-protect their smartphones, and only 18% rate their disaster preparation as 'pretty good' or 'excellent'.
Cyberattacks were experienced by 77% of the European firms interviewed, and the average financial impact of attacks amounted to £202,000, according to the survey. The costs included downtime, loss of business and reputation, plus the theft of data.
The loss of mobile devices is becoming a concern for European businesses -- 71% reported a loss in the last year -- and 69% said they now password-protect their Windows laptops.
Nearly half (47%) of them said they had experienced a loss of confidential data, and of these, 57% said the data had been stolen rather than lost through accident.
Ross Walker, who runs Symantec's small business operation in the U.K., said: "The security industry has put in a lot of effort over the last two years to inform small business leaders of the importance of protecting themselves from cybercrime." He said the next stage of the education process is to get businesses to develop and enforce security policies, so that access to confidential data is more tightly controlled.
"In small businesses, people can often have access to a wide range of data because there is no policy enforcement. Companies often overlook the dangers of insider data theft," he said. "Cybercrime has no preference for size of organisation, and that's why small businesses need to be more aware and acknowledge the threats. We now need to help them enforce policies and procedures to ensure they can take protection a step further."
The figures are generally in line with the Information Security Breaches Survey 2010 (ISBS), which was published in April and which tracks security trends in the U.K. The ISBS also showed a higher level of basic protection being applied in small business. For instance, 67% have a formally documented information security policy, and 68% provide security awareness training to employees.
But with increased reliance on IT, greater threats on the Internet and the proliferation of new technologies such as wireless networks and mobile computers, the ISBS also uncovered higher levels of security incidents, with 74% of small companies reporting a malicious security incident. It found that the average cost of a small company's worst incident was between £27,500 and £55,000.