For several years now, CIO Insight‘s annual security surveys have found that IT executives have more confidence in their security than is warranted by the strength of their security measures, or the number of breaches that are occurring. However, CIOs at companies with revenues below $500 million don’t have the same level of bravado as their counterparts at larger companies. Twenty-five percent of the IT executives at SMBs say their firm’s IT defenses do not offer adequate defense against viruses, Trojans, worms and hackers. The reasons: Many of these companies have underinvested in security technologies, have failed to put stringent security and privacy protection policies in place, and are failing to get their employees to follow them. SMBs are responding by increasing the level of security spending from last year, a necessary step if they are to plug some of the holes. But if these IT executives really want to sleep better at night, they should also focus on the tough task of changing the behavior of their employees.
One in four SMBs have inadequate IT security.
Even though relatively few companies below $500 million in revenues experienced a security breach in the past 12 months, more IT executives at these companies believe they lack adequate protection from the ravages of viruses, malware and unauthorized penetration of their systems than executives at larger organizations.
Smaller companies suffer from lax security practices.
One reason IT executives at small and mid-size businesses lack confidence in their IT security is that they are less likely to have effective security policies in place, and to get employees to follow those policies. For example, only six of ten have a strong policy covering e-mail attachments, a common source of viruses. In comparison, larger companies have a more thorough and disciplined approach to security. No wonder so many CIOs at SMBs consider careless behavior one of their biggest security worries.
SMBs lag behind on security technology and privacy.
Compared with larger companies, fewer SMBs have invested in, or have had success installing, the 23 security technologies we track. Some, like patch management, intrusion detection and URL filtering, have been successfully put in place by far fewer small and mid-sized organizations. Without these technologies, SMBs have a much harder time staying secure. In fact, small companies may report fewer intrusions simply because they often lack the means to detect them. SMBs are also less strict about protecting customer data. The one bright spot: SMBs are boosting security spending by 8%.