Ponemon Study: SMBs Fail Miserably at Security

Gerhard Eschelbeck, CTO of security vendor Sophos

Gerhard Eschelbeck, CTO of security vendor Sophos

The state of IT security in small and midsized businesses may be worse than previously thought, according to a new study that finds a majority are in deep denial about the risks of cyberattacks and the compromise of critical data. The study by Ponemon Institute and sponsored by UK security vendor Sophos Ltd. found 58 percent of SMB IT decision makers do not see cyberattacks as a significant risk to their business.

That attitude pervades despite the fact that IT security disruptions cost the 2,000 SMB survey respondents a combined average of $1,608,111 over the past year.

Perhaps most troubling, the Risk of an Uncertain Security Strategy study found that the more senior a manager was in their SMB organization, the more likely they were to dismiss the seriousness of potential cyber threats.

“The scale of cyberattack threats is growing every single day,“ said Sophos CTO Gerhard Eschelbeck, “yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture.”

“Today in SMBs, the CIO is often the ‘only information officer,’ managing multiple and increasingly complex responsibilities within the business,” said Eschelbeck. “However, these ‘OIOs’ can’t do everything on their own and as employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat.”

The study raises the possibility that current trends such as BYOD and cloud computing might further exacerbate the security problem. Seventy-seven percent of respondents said use of cloud applications and IT infrastructure services will increase over the next year, yet a quarter of those indicated they have no idea if that will impact security. Similarly, 69 percent said that mobile access to business critical applications will rise next year, despite the fact that half believe this will weaken IT security.

“Small and midsize organizations simply cannot afford to disregard security,” said Larry Ponemon, president of the Ponemon Institute. “Without it there’s more chance that new technology will face cyber attacks, which is likely to cost the business substantial amounts.

“CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security,” Ponemon said. “The industry needs to recognize the potential dangers of not taking cyber security seriously and create support systems to improve SMB security postures.”

Other key findings of the study conducted in the U.S., U.K., Germany and Asia-Pacific include:

  • A third of respondents admit they’re not certain if a cyber attack has occurred in the past 12 months; 42 percent say their organization had experienced a cyber attack in the past 12 months
  • Forty-four percent of respondents report IT security is not a priority.  As evidence, 42 percent say their budget is not adequate for achieving an effective security posture.  Compounding the problem, only 26 percent of respondents say their IT staff has sufficient expertise.
  • Uncertainty about security and cyber threats they face varies by industry: financial services respondents have more confidence; in their security posture and the technology sector is more security aware, while retail, education and media harbor the greatest uncertainty about their organization’s security strategy and the threats they face.

The Ponemon findings, while troubling, do indicate a continuing need for third-party security services providers and a growing imperative for the channel to educate SMB clients on the seriousness of cyber security, particularly as they engage in BYOD and cloud initiatives.