Business-like, isn't he?



Business in Vancouver logo

    For online business security, size doesn’t matter

    by  Alan Zisman (c) 2008 First published in Business in Vancouver September 9-15, 2008; issue 985

    High Tech Office column;  
    Denial ain’t just a river in Egypt. OK, that’s an old joke, but a recent study
    sponsored by security vendor McAfee suggests that too many small and mid-sized
    businesses are in denial about online security and how it – or the lack of it – can
    affect their business.

    The survey talked to 500 IT “decision makers” from U.S. and Canadian businesses
    with between two and 1,000 employees. They reported that 21% of their
    companies had suffered a cyber-security attack, with nearly a third of those
    reporting three or more attacks in the past three years. These attacks ranged from
    computer viruses, hacker intrusions, spyware and spam to data theft.

    Over a quarter of those attacked were knocked off-line for a week or more as a
    result. (Canadian businesses were more seriously affected: 36% required a week
    or more to recover from the attacks.)

    Despite this, 35% were not concerned about being a target of cybercrime and
    nearly half (44%) felt that their businesses were too small to be the target of
    cyber-attacks, that this was an issue for larger corporations. Similar percentages
    reported believing that they “are not a valuable target” for cyber criminals, that
    they’re not well-known enough to be specifically targeted.

    Rick Jackson, director of McAfee’s small-business unit notes that virtually any size
    of business has “some stored records of confidential customer and employee
    information that would be of use to a cyber criminal, especially to commit crimes
    like identity theft.” And like home computers, small-business computers are being
    infested in order to turn them into spam-transmitting “zombies.”

    Nearly all (92%) reported that online access is important to running their business,
    and a fifth of the respondents recognized that a successful attack could put them
    out of business, but nearly half of the IT staff polled were able to spend only an
    hour a week on proactive security. Half simply accepted default settings on their IT
    equipment. Jackson points out that “using default settings gives a false sense of
    security ... these settings are freely available so it doesn’t take long to infiltrate a
    business’ systems and networks.”

    And while 88% surveyed felt that were adequately protected, more than a fifth
    had “little or no” security protection.

    McAfee vice-president Darrell Rodenbaugh suggests that despite the beliefs of the
    people polled, size does matter: “a smaller business is just as vulnerable as larger
    enterprises to attacks from cyber criminals.” McAfee points to other surveys
    concluding that in 2007, U.S. companies lost an average of $350,000 to “cyber
    security incidents,” double the average losses reported in 2006.

    Size does affect the cost to businesses of being knocked off-line, however. Small
    companies averaged $30,000 loss of income, mid-sized businesses reported losing
    an average of$225,000, while large companies lost roughly $30 million each,
    Rodenbaugh noted.

    An Infonetics Research report (“The Cost of Network Security Attacks: North
    America 2007”) reported that at small and mid-sized businesses, spyware
    accounted for about 40% of downtime, with malware infecting servers also a big

    Jeff Green of McAfee’s Avert Labs suggests attacks against high-profile targets are
    becoming less frequent, because they’re more quickly detected. Instead, cyber
    attackers regard smaller businesses as “easy pickings” and are increasingly
    targeting them. Green predicts that there will be more attacks using VoIP (voice-
    over-Internet protocol or Internet telephony) with Web 2.0 and social networking
    applications like Facebook being attacked as back doors into business networks.

    McAfee recognizes that smaller businesses are often unable to devote a dedicated
    IT person to security issues. It suggests, however, that increasingly these sorts of
    issues are business-critical for small and mid-sized businesses. •

Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan
Search WWW Search