Despite awareness, SMB cybersecurity suffers from resource constraints

New research examining the cyber threat and data breach experiences of small and medium-sized businesses (SMBs) from The Ponemon Institute (sponsored by Faronics) has found that what organizations perceive to be threats are coalescing around a central theme: data control. As in, most businesses feel that there is a great lack of it. 

The top three threats to their organizations listed by US respondents included “proliferation of unstructured data” (69%), “unsecure third parties including cloud providers" (65%), and “not knowing where all sensitive data is located" (62%). UK respondents had a slightly different set of concerns: 62% believe “proliferation of end-user devices” is a key issue, as well as “lack of security protection across all devices” (cited by 56%) and “unsecure third parties including cloud providers” (53%). To boot, more than three quarters of respondents in both the US and UK (76% and 77%, respectively) consider check or credit card fraud either “likely” or “very likely.”

In other words, the cloud, mobile devices and the bring-your-own-device (BYOD) phenomenon, and an expansion in the sheer complexity and volume of the data landscape have SMBs concerned. However, the full scope of damage that could stem from a data breach appears to be misunderstood.

When queried about the impact of data breaches on their organizations, more than half of US and UKrespondents cited the loss of time and productivity most frequently. Respondents in these regions also listed damage to their organizations’ brands second most frequently.

“This is the first study to investigate what smaller companies in North America are doing to prevent and detect cyber attacks,” said Larry Ponemon, chairman and founder of Ponemon Institute. “Results indicate that companies tend to seriously underestimate the potential damage to brand and reputation, revealing a great data breach perception gap. Misconceptions about the consequences associated with a data breach are preventing organizations from implementing the necessary financial tools, in-house expertise and technologies to achieve cyber readiness.”

Those organizationsthat have already experienced a data breach could serve as cautionary tales: 42% of US respondents and 38% in the UK said they “lost customers and business partners” as a result of data breaches. Meanwhile, 41% and 34% of US and UK respondents, respectively, experienced an increase in the “cost of new customer acquisition,” suggesting some amount of brand damage stemming from the breach. More to the point, 35% of US respondents and 31% of UK respondents “suffered a loss of reputation.” Productivity loss was much less of a consequence.

“Although organizations have become more aware of potential threats, they do not seem to accurately perceive the repercussions associated with data breaches,” said Dmitry Shesterin, vice president of product management at Faronics, whom Infosecurity interviewed in depth on the perception problem. “Findings indicate that organizations do not understand the full costs and damages they will suffer as a result of a data breach. These organizations need to become more proactive about their security programs in order to minimize the damage they will inevitably experience from one, if not more, data breach.”

SMBs were also found to be under-investing in security technologies in general, but the key issue appears to be a problem with resources rather than complacency – unsurprising among SMBs, which often run on very thin margins and without dedicated IT resources. A full 64% of US respondents and 75% of UK respondents cited “insufficient people resources” as a primary barrier to achieving effective security. Also, 62% of UK respondents consider “the complexity of compliance and regulatory requirements” as a key barrier, and 55% listed “lack of in-house skilled or expert personnel.”

Also, half of those surveyed in the US noted “lack of central accountability” and 41% listed “lack of monitoring and enforcement of end users.”

As for the aforementioned common belief that labels IT departments and management as too complacent with security and data protection, Faronics’ survey found otherwise among this group. Just 9% among USrespondents and 4% in the UK admit “security is not taken seriously because our organization is not perceived as being vulnerable to attacks.”

Survey findings also uncovered that IT managers made security and data protection investment decisions based on their resource problems. The top selection criteria are ease of deployment and ongoing operations as well as low purchase costs.

The majority of respondents (73% in the US and 78% in the UK) seek products and solutions that enable easy deployment. UK-based teams further indicated the importance of minimal maintenance effort, with 62% listing the “ease of ongoing operations” as a key factor influencing security investments, followed by 58% seeking “low purchase cost” and 52% seeking low total cost ownership (TCO). US teams indicated a greater concern with costs, as 65% of respondents listed “low purchase cost” as a primary influencer over the 60% who listed “ease of ongoing operations” and half who listed “low TCO.”

Among the data protection solutions respondents most frequently employ today, 65% and 75%, respectively of US and UK respondents employ firewalls and other perimeter security technologies. Thirty-six percent in the US and 53% in the UK turn to blacklisting and/or whitelisting tools to identify content with vulnerabilities. A significant plurality of IT teams relies on enforcing strict data policies, cited by one-third of US and 45% of UKrespondents, the survey found.

What’s hot on Infosecurity Magazine?