About 42 percent of small and midsize companies have lost proprietary or confidential information, according to Symantec's SMB Information Protection Survey, which was published last month. Of the companies that lost data, 23 percent blamed insiders inadvertently losing data; another 14 percent of breaches were blamed on a broken business process.
In another survey released last year, Symantec researchers found that, of SMBs that suffered at least one breach, 44 percent blamed a lost device, nearly 40 percent blamed human error, and nearly 20 percent attributed the loss to outdated security procedures or inadequate employee training.
The problem, some experts say, is that small business employees are increasingly mixing personal and business technology. SMBs that are not prepared to deal with smartphones, social networks, and other emerging technologies will find their security suffers, says Alex Eckelberry, general manager of security firm GFI. Companies that employ the youngest generation of workers face this problem in spades, he says.
"In the past, companies made it clear that you are on their network and, if you do anything bad, you will be kicked off," Eckelberry says. "Today there are companies out there that say, 'Here's $2,000 -- go buy whatever you want, and the IT department will secure it."
To make matters worse, workers who employ these next-generation technologies are usually not educated in the online threats that could target an SMB, says Alex Hutton, principal on research and intelligence for the Verizon Business RISK team. A lack of training can lead to employees inadvertently giving the attacker a hand into the company's network, he says.
In its annual data breach report, Verizon Business found that insider errors were a factor in two-thirds of all breaches it investigated on behalf of clients.
"[The attacks] may be originating from the outside, but we [employees] are doing all we can to help them in,” Hutton says.
To take advantage of uneducated employees, online attacks against companies are becoming increasingly complex, says Ted DeZabala, national leader of the security and privacy services practice at Deloitte. In one case investigated by the firm, online attackers added employees a one midsize company's payroll and had the paychecks deposited into accounts it owned.
"This was going on for months and months," DeZabala says. "What we are seeing is that even companies that have very robust program -- and are diligent with patching and dealing with vulnerabilities -- are not equipped to deal with highly sophisticated malware that is spreading in the marketplace.”
Small and midsize businesses should educate employees about online threats, just as they do about physical threats, experts say.
"A huge part [of prevention] is awareness," Hutton says. "I used to do awareness programs in small banks, and the tellers are always nervous about physical threats, so [the banks] are never shy about spending money on physical security.”
Some SMBs might shy away from security tools and practices because of the cost, but technically savvy companies can prevent many leaks without spending a dime, experts say.
For example, most browsers now dynamically check links against a known list of bad sites, preventing accidental surfing to malicious destinations. A "clean" DNS service, such as OpenDNS, can also help employees avoid malicious sites. And companies can update their firewalls with block lists provided by one of the many free services that offer them, such as MalwareDomains.com, Eckelberry says.
Patching is also a critical element in protecting against unintentional data leaks, but companies shouldn't focus only on operating system patches, observers say. All applications -- especially ubiquitous ones, such as Adobe Acrobat and Flash -- need to patched as soon as possible.
"A lot of this stuff is free," Eckelberry says. "That's what makes it so painful that companies are not doing it."
SMBs should also watch their employees carefully, Deloitte's DeZabala says. While some companies attempt to ban social networks, these sites are becoming an important business tool -- it's better to monitor the users, he says. In smaller companies, monitoring can be as simple as managers friending their workers on social networks.
But be sure you can handle the data you're monitoring, DeZabala advises. "Monitoring is a double-edged sword," he says. "More monitoring means more data you have to collect and analyze -- and the more data you collect, the less chance that you will use it.”
Data-loss protection (DLP) systems and services can stop users from unintentionally disclosing information they should keep confidential, experts note. Such systems can monitor email and Web postings for confidential information, while programs designed to manage devices can often prevent inadvertent or malicious copying of data to USB devices.
Training employees to think about their online actions is another big part of the solution, experts say. Unified threat management (UTM) systems and layered defenses can help -- but even with depth and redundancy, they are not always going to work.
"If it is a targeted attack, that is going to be problematic," Hutton says. "The vast majority of malware is customized every day, and so signature-based solutions are of limited use."
Even antivirus vendors warn their solutions are not enough.
"A lot of people will buy one product and expect it to do everything -- and it doesn't," says GFI's Eckelberry, which recently bought security application maker Sunbelt Software. "In the past, you could rely on your AV product to catch everything, but it can't anymore. I have some of the coolest technology in the world, but I know what it is like out there. It will not catch everything."
Companies should secure employees against their own behavior just as a parent childproofs a house, Eckelberry says. "It may be a terrible analogy," he says, "but as an IT manager, you have to expect that users are gong to bumble around and break glass objects."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.