Ponemon: SMBs fail at security
Chris Gonsalves says smaller firms appear to be in denial about data breaches and the attack risk - suggesting the channel should be worried
The state of IT security in SMBs may be worse than previously thought, according to a new study that finds a majority are in deep denial about the risks of cyberattacks and the compromise of critical data.
The study, by the Ponemon Institute and sponsored by UK security vendor Sophos, found that 58 per cent of SMB IT decision makers surveyed do not see cyberattack as a significant risk to their business.
That attitude pervades even though IT security disruptions cost the 2,000 SMB survey respondents a combined average of $1,608,111 (£992,474) over the past year.
Perhaps most troubling, the Risk of an Uncertain Security Strategy study found that the more senior a manager was in their SMB organisation, the more likely they were to dismiss the seriousness of potential cyberthreats.
"The scale of cyberattack threats is growing every single day," said Sophos CTO Gerhard Eschelbeck. "Yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture."
Almost half don't prioritise security
The study found that 44 per cent have failed to make security a priority, while 42 per cent were reluctant to spend enough to ensure adequate cyberprotections, and 33 per cent lacked sufficiently skilled staff. Many of the SMBs polled said they had no one dedicated to cybersecurity - typically leaving the responsibility to the CIO.
Eschelbeck said: "They cannot do everything on their own. As employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat."
Might trends such as BYOD and cloud exacerbate the security problem? Seventy-seven per cent of respondents said cloud app use and IT infrastructure services would increase over the next year, yet a quarter indicated they don't know if that will affect security. Sixty-nine per cent said mobile access to business-critical applications will rise next year, although half believed this will weaken IT security.
"Small and mid-size organisations simply cannot afford to disregard security," said Larry Ponemon, president of the Ponemon Institute. "Without it, there is more chance that new technology will face cyberattack, which is likely to cost the business substantial amounts.
"CIOs are under pressure to implement new technology for agile and efficient ways of working, but this should not take precedence over security," Ponemon said. "The industry needs to recognise the potential dangers of not taking cybersecurity seriously and create support systems to improve SMB security postures."
In the US, UK, Germany and Asia-Pacific poll, a third of respondents admitted they are not certain whether or not they have suffered a cyberattack in the past 12 months, while 42 per cent said their organisation had been attacked during that period.
Forty-four per cent said IT security is not a priority. As evidence, 42 per cent claimed their budget is too small for an effective security posture. Only 26 per cent of respondents said their IT staff have sufficient expertise around security.
Uncertainty about security and cyberthreat varies by industry: financial services respondents have more confidence in their security posture, and the technology sector is more security aware. Retail, education and media were the most doubtful about their organisation's security strategy and the related threats.
The Ponemon findings do indicate a continuing need for third-party security services providers and an imperative for the channel to educate SMBs about the seriousness of cybersecurity, particularly as they engage in BYOD and cloud initiatives.
As part of our special editorial relationship, CRN is republishing this article from Channelnomics