According to the survey, 63% of small businesses were most concerned by viruses, 60% by trojans, 59% by data-stealing malware, followed, at 56%, by data leaks. Data leaks were defined as the intentional or unintentional disclosure of sensitive information outside the corporate network. Phishing scams and spam were of less concern to small businesses.
For its 2010 Corporate End User Study, Trend Micro surveyed 1600 corporate end users in the US, the UK, Germany, and Japan. The company defined a small business as a business with less than 500 employees in the US, the UK, and Germany, and less than 250 employees in Japan.
While data-stealing malware and data leaks were third and fourth on the survey, they are an increasing concern for small businesses, noted Dal Gemmell, senior global product marketing manager on the Trend Micro small business team. “As you would expect from a survey about security, viruses and trojans were ranked as the number one and number two concerns. But what we found was that these were closely followed by data-stealing malware and data leaks” as small business security concerns, Gemmell told Infosecurity. He said that data is an extremely valuable asset for small businesses, and data protection is key to their competitiveness in the marketplace.
The Trend Micro manager said that the majority of small businesses surveyed do not have data loss prevention policies in place and do not have data loss prevention training for employees. “The concern is that the training and awareness of data loss prevention is lagging”, he said.The survey found that small businesses are 23% less likely to have preventative data leak policies in place than large companies, according to a Trend Micro statement.
The biggest difference was found in Japan where 81% of large companies have data leak prevention policies in place compared to only 47% of small companies. For those businesses that have policies in place, employees in large companies are significantly more likely to have received training on data leak prevention than those in small companies.
Employees in large US companies are significantly more likely to indicate data leaks as a serious threat than those in smaller companies: 74% in large companies, 49% in small companies.
In the UK, 73% of employees from large companies say they are aware of confidential information compared to 63% from small companies. Also worth noting is that in every country, employees in larger companies are significantly more likely to agree that other employees have leaked data from within their organization.
The survey found that the most prevalent forms of IT protection against data stealing malware is installing security software, restricting internet access, and implementing security policies.
Around 21% of small business employees say that their IT departments can do a better job at protecting them on potential risks associated with data-stealing malware. In addition, 35% of employees in small companies indicated that their IT department could have done a better job educating them about data-stealing malware.
To prevent data loss, Gemmell recommended that small businesses train employees about the importance of data, the risks of data loss, and how to prevent it. This training needs to be done periodically to ensure its effectiveness.
Small businesses can also use technical solutions to reduce the risk of data loss. One step they can take is to make sure that their operating systems and applications do not have vulnerabilities or, if vulnerabilities are detected, patching them in a timely manner, he said. This is to prevent data-stealing malware from exploiting these vulnerabilities.
“What we saw in the first half of 2010…is that there were over 2500 common vulnerabilities and exposures that were recorded. There are a lot of vulnerabilities out there and cyber criminals are absolutely taking advantage of them to steal data”, Gemmell said.
Because of their tight IT security budgets, small businesses should look for security products that combine anti-virus, anti-malware, and data loss prevention. Gemmell stressed that the information security products should address the “common leaky points” in small businesses, such as email and USB devices. “Make sure that the product is able to prevent data loss from those leaky points,” he said.