Some 94% of companies encountered an “external” security incident over the last 12 months, and slightly less – 87% – had to deal with an internal security issue: these are the facts and figures from the newly released IT Security Risks Survey by Kaspersky Lab and B2B International. The survey had been conducted among 3,900 businesses of all sizes in 27 countries, and over 54% of the participants were mid-sized, large and very large entities, while the rest represented small and very small businesses.
#Kaspersky Lab IT Risks Survey: IT awareness needs to do better.Tweet
One of the most notable results of the survey shows that companies are willing to risk and tend to prioritize their IT spending – which includes IT security – quite differently depending on their size. In a nutshell, SMBs are clearly regarding their IT strategy, and by extension their IT security, as less important than their larger competitors.
While not exactly unexpected, this is quite troubling. Troubling for the businesses themselves, as well as the users who are at risk of being collateral damage – such as personal data leaks.
The situation is even more unsettling since hackers don’t care whether the company they attack is small or large. The “we’re too small for a hacker to take notice of us” approach, quite common among the smaller business entities, doesn’t work. In fact, at least some cybercriminals prefer targeting SMBs instead of larger businesses, since they know that small and medium companies are often not fully protected, leading to thefts that are smaller in value, but much easier to accomplish.
This latest survey data also shows that even SMBs with only 100 employees can expect to pay hefty costs resulting from malware infection and data loss. These costs can include professional services to advise companies after a serious incident ($10,000 average cost for SMBs), IT training for staff to prevent further breaches ($5,000 average cost for SMBs), as well as damage to the businesses reputation, which by itself can be enough to set a small business ablaze. Overall, damages from one data security incident were estimated at an average of $720,000, damages from one successful targeted attack – as much as $2.54 million.
IT awareness exists, but priorities are elsewhere. #protectmybizTweet
Figures from the survey show that IT security awareness either needs improving or that priorities are placed elsewhere.
For example: According to Kaspersky Lab’s data, in 2013, company experts detected an average of 315,000 new variants of malicious programs daily. Based on the survey results, only 4% of respondents named a figure comparable to that of Kaspersky Lab estimates, while over 91% of those surveyed grossly underestimated that number. The awareness level in the 2013 survey was higher – at 6%.
Also only 67% of respondents reported that security software was installed on their companies’ workstations – 4% lower than in 2013 survey.
As said above, some 94% of companies surveyed this year encountered at least one “external” incident. It’s 3% more than a year before. Interestingly, though, 64% of respondents claimed that their top concern was spam. Last year’s “favorite” was malware attacks. This year they took 2nd place.
Targeted attacks, however, steadily go mainstream. Reported as experienced by 12% of respondents (+3%, compared to 2013), this number is quite higher in such sectors as government and defense – 18% of respondents representing those types of companies reported having run into at least one such attack. Similarly, this problem was reported by 17% of telecom-related respondents, 16% of those involved with finance services and transport and logistics.
Then there are “internal” threats. The top line there belongs to vulnerabilties and flaws in existing software (36%). However, five out of seven top problems reported are staff-related: accidental or intentional leaks, inappropriate sharing and even fraud (mostly reported by financial organizations) – they all constitute a formidable share of security concerns for the companies surveyed.
The landscape of external and internal threats encountered by companies over the past 12 months clearly deomnstrates the need to use comprehensive security solutions. The very fact that these incidents take place shows that companies’ IT infrastructures could use an improvement of their security.
According to IT Security Risks Survey 2014, “There are many reasons and factors for the current state of affairs, which include inadequate threat assessment and others, such as, the belief that any financial damages caused by a cyber attack will be lower than any investments in purchasing and deploying security solutions; based on the survey results, roughly 28% of respondents hold that view”. However, actual damage may result in budget losses way above those set aside for data security.
The full text of the report is available here.