For
online business security, size doesn’t matter
by
Alan Zisman (c) 2008 First published in
Business
in Vancouver September 9-15, 2008; issue 985
High Tech Office column;
Denial ain’t just a river in Egypt. OK, that’s an old joke, but a
recent study
sponsored by security vendor McAfee suggests that too many small and
mid-sized
businesses are in denial about online security and how it – or the lack
of it – can
affect their business.
The survey talked to 500 IT “decision makers” from U.S. and Canadian
businesses
with between two and 1,000 employees. They reported that 21% of their
companies had suffered a cyber-security attack, with nearly a third of
those
reporting three or more attacks in the past three years. These attacks
ranged from
computer viruses, hacker intrusions, spyware and spam to data theft.
Over a quarter of those attacked were knocked off-line for a week or
more as a
result. (Canadian businesses were more seriously affected: 36% required
a week
or more to recover from the attacks.)
Despite this, 35% were not concerned about being a target of cybercrime
and
nearly half (44%) felt that their businesses were too small to be the
target of
cyber-attacks, that this was an issue for larger corporations. Similar
percentages
reported believing that they “are not a valuable target” for cyber
criminals, that
they’re not well-known enough to be specifically targeted.
Rick Jackson, director of McAfee’s small-business unit notes that
virtually any size
of business has “some stored records of confidential customer and
employee
information that would be of use to a cyber criminal, especially to
commit crimes
like identity theft.” And like home computers, small-business computers
are being
infested in order to turn them into spam-transmitting “zombies.”
Nearly all (92%) reported that online access is important to running
their business,
and a fifth of the respondents recognized that a successful attack
could put them
out of business, but nearly half of the IT staff polled were able to
spend only an
hour a week on proactive security. Half simply accepted default
settings on their IT
equipment. Jackson points out that “using default settings gives a
false sense of
security ... these settings are freely available so it doesn’t take
long to infiltrate a
business’ systems and networks.”
And while 88% surveyed felt that were adequately protected, more than a
fifth
had “little or no” security protection.
McAfee vice-president Darrell Rodenbaugh suggests that despite the
beliefs of the
people polled, size does matter: “a smaller business is just as
vulnerable as larger
enterprises to attacks from cyber criminals.” McAfee points to other
surveys
concluding that in 2007, U.S. companies lost an average of $350,000 to
“cyber
security incidents,” double the average losses reported in 2006.
Size does affect the cost to businesses of being knocked off-line,
however. Small
companies averaged $30,000 loss of income, mid-sized businesses
reported losing
an average of$225,000, while large companies lost roughly $30 million
each,
Rodenbaugh noted.
An Infonetics Research report (“The Cost of Network Security Attacks:
North
America 2007”) reported that at small and mid-sized businesses, spyware
accounted for about 40% of downtime, with malware infecting servers
also a big
problem.
Jeff Green of McAfee’s Avert Labs suggests attacks against high-profile
targets are
becoming less frequent, because they’re more quickly detected. Instead,
cyber
attackers regard smaller businesses as “easy pickings” and are
increasingly
targeting them. Green predicts that there will be more attacks using
VoIP (voice-
over-Internet protocol or Internet telephony) with Web 2.0 and social
networking
applications like Facebook being attacked as back doors into business
networks.
McAfee recognizes that smaller businesses are often unable to devote a
dedicated
IT person to security issues. It suggests, however, that increasingly
these sorts of
issues are business-critical for small and mid-sized businesses. •