“Although we often hear about cyber attacks on large businesses and institutions, a recent report shows the majority of these attacks are on small firms. Small businesses generally have fewer resources available to monitor and combat cyber threats, making them easy targets for expert criminals”, said Rep. Renee Ellmers (R-N.C.), chairwoman of the House Committee on Small Business subcommittee on healthcare and technology.
Ellmers’ panel examined the issue of small business and cybersecurity at a hearing held last week. Among those testifying was Michael Kaiser, executive director of the National Cyber Security Alliance (NCSA).
Kaiser told the panel that his organization conducted a survey of 1,045 small businesses in October with Symantec and Zogby. The survey found that 59% of small businesses did not require any multifactor authentication for access to their networks, 67% allowed the use of USB devices in the workplace, and 50% did not completely wipe data from their machines before disposal.
In addition, 77% of respondents did not have a formal written Internet security policy for employees; of those who did not have a formal policy, almost half did not have an informal policy either. A majority of respondents (56%) did not have Internet usage polices that clarify what websites and web services employees could use.
Almost two-thirds (63%) did not have policies regarding how their employees use social media; 40% did not have a privacy policy in place that their employees must comply with when they handle customer information; and almost half did not have a plan or strategic approach in place for keeping their business cyber secure.
Yet, cybersecurity is increasingly important to the value of the business, according to the survey. Seven in ten said that Internet security is critical to their business success, and 57% said that having a strong cybersecurity posture is good for their brand.