According to a Kaspersky Lab survey of businesses worldwide, very small businesses (VSBs) with fewer than 25 employees are the least likely to view “IT Strategy” as a top strategic concern. Only 19% of VSBs worldwide reported IT Strategy as one of their top-two strategic concerns, compared to 30% of businesses with more than 100 employees, and 35% of enterprises with 5,000 employees or more. Alarmingly, this often-neglected business category includes internet and data security policies.
These survey results, found in Kaspersky Lab’s 2014 IT Security Risks summary report, illustrate a key challenge for VSBs. An effective IT strategy is a vital component of any successful business, and if managed properly, can enable a small business to accomplish big things. But the reality is that VSBs, which are often startups struggling to establish themselves, most often don’t have the money or IT expertise to properly implement vital IT components like security software. A new business owner will most likely pour all their resources into growing the sales of their core product or service, since investments in business infrastructure are meaningless if the business itself fails. But at what point should a VSB begin building an IT and security plan for the future, and what are the potential consequences if they wait too long?
According to IDC estimates, there are approximately 80 million businesses worldwide that operate with fewer than 10 employees. Many of these businesses adopt the “security by obscurity” mentality, believing that they are too small to be targeted by cybercriminals and don’t have any data that cybercriminals would want. But Verizon’s 2013 Data Breach Investigations Report, which includes data from worldwide forensic investigations, found that of the 621 data breaches analyzed, 193 breaches – more than 30% – occurred at companies with 100 or fewer employees1. It is reasonable to assume that VSBs make up a sizable portion of these victims.
Business owners must understand that as soon as they begin processing credit card payments, storing customer information, or even creating plans for new products, they possess information that is valuable to cybercriminals. In fact, some cybercriminals may prefer these “soft targets” that are known to have poor IT protection. The resulting payoff for each victim attacked is smaller, but it can require less effort for the cybercriminal to successfully attack numerous VSBs instead of a single larger business. However, a key difference is larger businesses will have the funds to recover from an IT security incident, but costs of lost customer data, significant time spent offline, and associated clean-up expenses can add up to thousands of dollars depending on the type of incident, and be enough to drive smaller business to bankruptcy.
According to Kaspersky Lab’s survey, VSBs understand the dangers of online threats. When asked about their top concerns associated with business IT, 35% of VSBs ranked “Data Protection” among their top-three choices, the highest ranking amongst all business segments (26% of medium-sized businesses included “Data Protection” among their top-three choices, and 29% of enterprises did the same). For the same question, VSBs also ranked “Ensuring Continuity of Service for Business Critical Systems” as a top-three IT department concern at a rate comparable to larger businesses (only 2% less than the total average). Clearly, VSBs are aware that their IT strategy plays a vital role in protecting sensitive data and keeping their daily business operations from being crippled by malware and cybercriminals.
Also, VSBs are well-informed about the benefits – and security risks – of using mobile devices within their businesses. 34% of VSBs reported integrating mobile devices into their IT systems within the past 12 months, a rate of adoption that is nearly identical to larger businesses (32% of large businesses reported adoption of mobile devices, along with 35% of enterprises). Moreover, VSBs are actually leading the charge in mobile device security awareness. 31% of VSBs listed “Securing Mobile/Portable Computing Devices” as one of their top-three IT security priorities for the next 12 months. This number seems surprisingly high compared to the global average of 23% of all businesses that have prioritized future mobile device security for the coming year. It seems this data disputes any claims that VSBs are less savvy about mobile device usage or mobile security risks than their larger competitors.
These findings show that low VSB prioritization of IT strategy, and by extension IT security, isn’t being caused by low awareness of important IT security issues. So what does cause it? A reasonable conclusion is that a lack of budget remains the biggest barrier preventing VSBs from adopting more advanced IT and IT Security measures. Therefore, Kaspersky Lab advises VSBs to invest in the security measures that will provide the most immediate benefit for the threats they commonly face. According to VSB survey respondents who reported losing business data from a cyberattack, 32% reported “Malware” being the cause of their most serious incident, a rate that is double what was reported by enterprises (16%). Another significant source of data loss for VSBs was traced back to “Software Vulnerabilities,” reported by 9% of VSBs, a rate that is nearly the same as the 8% global average citing this factor. This means software vulnerabilities are a security issue that affects businesses nearly equally, regardless of size.
With these facts in mind, Kaspersky Lab recommends its Kaspersky Small Office Security as an investment VSBs should consider. It is built to include business-grade technologies in a form that doesn’t require IT expertise to operate, and includes the industry’s leading anti-malware engine, along with a software vulnerability scanner to identify any machines that could be exploited by cybercriminals. Kaspersky Small Office Security also includes both malware protection and anti-theft features for mobile devices, which VSBs are rapidly adopting, along with data encryption tools to ensure customer data is protected from theft or accidental deletion.
1 Verizon Communications Inc.'s forensic analysis unit