Earlier this year, the Department for Business, Innovation and Skills (BIS) reported that 93% of large businesses fell prey to a cyberattack in 2012.
Similarly, small and medium-size businesses (SMBs) also suffered, with 87% being targeted - up 10% from the previous year.
Now, the reasons why SMBs are at risk has been examined in detail in a recent Sophos-sponsored report by the Ponemon Institute.
The report - The Risk of an Uncertain Security Strategy - surveyed over 2,000 IT security managers within organisations employing up to 5,000 people.
Given the job roles of the respondents, some of the findings are quite staggering with 44% of those surveyed saying that a strong security policy is not a priority and 58% claiming that management do not see cyber attacks as a significant threat.
Other barriers to implementing an effective IT security strategy were also identified with 42%, unsurprisingly perhaps, citing a lack of budget as a large factor. Another major issue identified by the survey was a lack of skilled personnel.
Other findings in the Ponemon report are even more concerning.
Considering the fact that respondents in the survey are all responsible for managing the security function, I find it quite alarming that 1 in 3 admitted that they did not know whether their organisation had been subjected to a cyber attack in the last twelve months. Such a lack of knowledge would seem to suggest a deficiency either in the monitoring and reporting of incidents or with the IT management itself.
Also, the Ponemon Institute discovered that those in more senior positions seemed to have the least knowledge of the threats posed to their business, which is again a concern as they are likely to be the decision makers who would deem whether a particular threat should be a priority or not.
Interestingly, 31% of the individuals surveyed said that there was no particular person within their company with responsibility for making security decisions.
Another discovery was that SMBs struggle to assign a monetary value to information assets. If an organisation does not apply a cost to its assets then how can it determine their value and, hence, the appropriate level of security protection to apply to it?
The topic of mobile devices were of concern to the individuals surveyed, especially given the widespread adoption of BYOD which they reported. Many respondents said that their organisations are planning to invest in technologies to reduce BYOD risks as a result.
I was pleased to see that 51% of respondents did not equate regulatory compliance with a strong security position, given that remaining compliant shouldn't be the goal and rather should be a by-product of good security.
So what can SMBs do to improve their knowledge of cyber threats?
Sophos recommends the following:
- Proactive monitoring, detection and reporting on threats to enable quick and incisive decision making
- The establishment of mobile and BYOD policies
- Where in-house security resources are limited, better planning and adoption of cloud technologies, consultants and easily managed resources can help to free up the organisation's information security professionals
- Costing of information assets and downtime so that senior management can invest in cost effective solutions to protect them
- Working with the higher echelons of management within the business in such a way that they place a higher priority on cyber security