Among the shockers:
- 59% of small and midsized business have no endpoint protection
- 47% have no desktop backup/recovery tools in place
- 42% have no ant-spam solution in place (How do they get anything done, at least in their e-mail queues?)
- 38% are without server backup/recovery solutions
And, lower in percentage, but to me most shocking of all:
- 33% of small and midsized businesses surveyed are running no anti-virus protection.
- The result, no surprise, is gaps that result in security breaches and worse:
- 47% have experienced breaches as a result of hardware failure
- 32% experienced a breach as a result of improper or out-of-date security tools
- 42% have experienced lost or stolen data devices
- 25% have faced deliberate sabotage by employees
- 19% have dealt with a security breach that was the result of "improper security procedures/education within the workplace"
That last speaks for all of the above -- improper security procedures and especially education are both the largest vulnerability for small and midsized businesses, and also the most easily (though not without effort, and disciplined effort, at that) corrected.
The need for that corrective education is clear; security gap explanations (and excuses) found in Symantec's survey include:
- 42% of small and midsized businesses have no dedicated IT staff
- 41% feel employees lack proper IT/security skills
- 33% lack a thorough awareness of threats
- Budget, of course, is an issue as well, with 37% of the survey participants citing finances as the reason for their security vulnerabilities.
- Median IT security budget for small and midsized businesses is $4,500
- Median IT storage budget is likewise $4,500
Those budgets are expected to remain or constant or increase slightly in the coming year, despite the economy, reflecting the awareness of security needs, if not an understanding of their nature.
Which brings us back to the corrective: education.
- Review your security (and backup/restore) tools for comprehensiveness, need for updates, proper deployment and use.
- Review every employee's understanding of the security environment, and implement/introduce training and re-training where necessary.
- Develop and implement a thorough security and computer/device usage policy, insist that your employees read, sign, and adhere to it.
- Long past time to close the gaps in small and midsized business security, gaps especially gaps based on ignorance, apathy, or denial.