Encouraging Very Small Business to Invest in IT Security

Small business is a very important part of the economic ecosystem. Within the global economy, there are more than 75 million businesses worldwide that operate with fewer than 10 employees¹. These “very small businesses “are critical components and major contributors to the strength of local economies. VSBs create millions of jobs and generate millions of dollars. Moreover, such companies have great potential for expansion, as 64% of the VSBs worldwide expect growth over the next two years².

Very small business operate in many fields and, just like bigger companies, process sensitive data while banking online, including financial information about themselves and their customers. It means that smaller business face the same online risks as other, larger companies.

Despite the obvious cyber-risks, struggling startups and mature small companies rarely pay much attention to cybersecurity issues. According to the 2014 Global Corporate IT Security Risks survey conducted by B2B International in conjunction with Kaspersky Lab, VSBs are concerned more about their products and service strategy (41% of companies named it as a priority) and marketing strategy, which includes business development, building customer relationships and improving business image (40% named it as a priority for the company). As a result VSBs rate development of IT strategy (including security) as a lower strategic concern than larger businesses (only 19% of VSBs name IT strategy as the most important or second most priority for the company). Of course it’s vital to invest in core business processes, but it would be a costly mistake for small business to completely neglect security considerations.

Why do VSBs not pay much attention?

One reason why IT strategy is not a top priority is because very small business tend to underestimate the scale of IT threats. Perception of malware discovery rates among VSBs tends to be less realistic than in larger companies. The survey found that 74% of VSBs believe that 10,000 or fewer malware samples are discovered daily while the real figure is much higher at over 315,000 per day.

At the same time very small businesses share a common assumption that smaller firms are safe from cybercriminals. They believe that criminals won’t waste time and effort on a small company and that small businesses don’t have enough to be worth stealing from. The reality is very different: data from Verizon’s 2013 Data Breach Investigations Report shows that more than 30 percent of data breaches occurred at companies with 100 or fewer employees. Due to this gap between perception and reality, very small business seldom pay much attention to IT security, inadvertently offering cybercriminals a great opportunity for easy money.

What Are the Consequences?

This shortsightedness can cost a huge amount of money. For start-ups even a single security incident could easily spell financial ruin. According to the fresh figures from the 2014 Global Corporate IT Security Risks survey the worldwide average cost of a data breach for a small or medium sized business can reach $375,000 USD. This figure includes lost business opportunities, hiring external IT support to fix the problem and potentially even new equipment. The median cost of professional services for SMBs due to a serious data loss event is $10,000 USD. For a very small business, this kind of bill can be a fatal blow.

The costs are not just financial: 57% of data loss events had a knock-on effect that damaged the operation of the business. The image and reputation of a company – something which absorbs so much time and effort when developing marketing strategies – can be ruined overnight. More than half of lost data events (56%) lead to a negative impact on a company’s reputation or perceived reliability.

Are companies willing to invest?

Large companies and enterprises are more likely to invest in software and infrastructure, staff training and recruitment of specialists to prevent further breaches. Larger businesses were significantly more open to the idea of investing in premium software solutions to protect financial transactions against fraud. Fraud prevention solutions are generally dedicated to securing the connection between a business and its bank, ensuring that financial transactions receive the highest level of protection against cybercriminals.

The number of VSBs which are willing or quite willing to invest in protection solutions is significantly lower than the number of companies of large enterprises or even SMB. More than a half of very small businesses (57%) have no interest whatsoever in investing in protection solutions.

The key to protecting VSBs is to appropriately prioritize their security needs. A small company does not need to start by investing in things like the implementation of data-loss prevention (DLP), or an in-depth management console. VSBs can focus on the security issues which are critical to the individual company or to the field it works in, and pick a security vendor that can scale up as their business grows. At the outset, a very small business needs the baseline protection supplied by anti-malware software and a firewall. Once these businesses become operational and start processing orders, they need data encryption technology to protect payment information or customer information, and this sort of protection is often mandated by law. If they begin hiring employees who work outside the office, then basic mobile security features will be appropriate.

One key reason why VSBs may be hesitant to invest in IT security is because they feel there isn’t a security solution built with their needs in mind. Often they must choose between consumer software that isn’t designed with business in mind, or enterprise-level software which is too complicated and expensive. Kaspersky Small Office Security is designed to fill this gap, offering specially-built management and financial transaction protection that is made easy for an ordinary person to use, along with business-critical tools like file encryption and protection for file servers. To learn more about Kaspersky Small Office Security, please visit our business security homepage.

¹IDC Secure Content and Threat Management Tracker – 2013

²Forester Research Foresight SS, 2013