Every year there are dozens of reports and studies on the state of cyber security in businesses large and small. They almost always are notable in that they are a call to action that seems to be left unanswered. Sadly, we, the information security practitioners see the same problems repeating themselves over and over again unabated. This is especially true in the world of small business IT. A recent survey of small businesses conducted by the National Small Business Association (NSBA) polled 845 small on the state of their IT security/information security efforts. Here are a few of the results:
- Nearly half of all small businesses have been a victim of cyber attacks which had very real losses such as service interruption, website infection, loss of sensitive information or complete data loss.
- The average cost associated with the cyber-attack, was $8699 per incident.
- 1 in 4 said they have little to no understanding of the issues of information security whatsoever.
- A full 72% of respondents handle their IT security concerns without the help of a skilled IT professional
None of this is positive news but even worse it that it is all OLD NEWS. The worst of this report is that most organizations still believe that they can handle the deluge of information security risks without the need of professional IT help. The risks and costs are high in the day of advanced persistent threats but still organizations seem to think a band-aid approach will suffice. Clearly the results of this study and every other show this isn’t the case. It is time to for small businesses to invest in proper IT security controls. Small businesses should understand the risks and the need for calculated investment in information security to ameliorate these problems. With proper people, process and technology you can reduce your risks and no become one of these statistics.