VSB attitude towards cyberthreats: dangerous but not too important

New Kaspersky Lab’s survey shows VSB owners are well aware of IT threats, but their priorities lie elsewhere and the “immunity by obscurity” approach is a bit too common.

Alright, we said this before, now there is a statistical confirmation: According to a fresh Kaspersky Lab survey of businesses worldwide – 2014 IT Security Risks summary report, very small businesses (VSBs) with fewer than 25 employees are the least likely to view “IT Strategy” anywhere near the top of their strategic concern. Only 19% of VSBs worldwide reported IT Strategy as one of their top-two strategic concerns, compared to 30% of businesses with more than 100 employees, and 35% of enterprises with 5,000 employees or more. Alarmingly, this often-neglected business category includes internet and data security policies.

The basic reason is the same: “We’re too small and/or struggling to care about something that may never happen – cyberattacks”. Indeed, VSBs are often startups struggling to establish themselves, and most often they just don’t have the money or IT expertise to properly implement vital IT components like security software.

A new business owner will most likely pour all their resources into growing the sales of their core product or service. What all investments in business infrastructure are about if the business itself crumbles? 

But then there is a question, at what point should a VSB begin building an IT and security plan for the future? There is one more: What are the potential consequences if they wait too long?

IDC estimates that there are approximately 80 million businesses worldwide that operate with fewer than 10 employees. Aforementioned “Security by obscurity” mentality is common there: These businesses believe they are too small to be targeted by cybercriminals and don’t have any data that cybercriminals would want. However, Verizon’s 2013 Data Breach Investigations Report, which includes data from worldwide forensic investigations, found that of the 621 data breaches analyzed, 193 breaches – more than 30% – occurred at companies with 100 or fewer employees. It is quite logical to assume that VSBs make up a sizable portion of these victims.

The problem is that cybercriminals don’t care about size or the “default” value of the targeted company’s data: they just scan far and wide for the weak points and access to money, and once they find one, attack most likely ensues.

As soon as businesses begin processing credit card payments, storing customer information, or even creating plans for new products, they possess information that is valuable to cybercriminals.

In fact, some cybercriminals may prefer these “soft targets” that are known to have poor IT protection. The resulting payoff for each victim attacked is smaller, but it can require less effort for the cybercriminal to successfully attack numerous VSBs instead of a single larger business.

And then comes the key difference: larger businesses will have the funds to recover from an IT security incident, but costs of lost customer data, significant time spent offline, and associated clean-up expenses can add up to thousands of dollars depending on the type of incident, and be enough to drive smaller business to go down in flames.

Interestingly, Kaspersky Lab’s survey also found that VSB owners actually are aware of online threats and the dangers they pose: when asked about their top concerns associated with business IT, 35% of VSBs ranked “Data Protection” among their top-three choices, the highest ranking amongst all business segments (26% of medium-sized businesses included “Data Protection” among their top-three choices, and 29% of enterprises did the same). 

For the same question, VSBs also ranked “Ensuring Continuity of Service for Business Critical Systems” as a top-three IT department concern at a rate comparable to larger businesses (only 2% less than the total average).

In other words, VSBs are aware that their IT strategy plays a vital role in protecting sensitive data and keeping their daily business operations from being crippled by malware and cybercriminals. But still the top priorities aren’t there.

Also, VSBs are well-informed about the benefits and security risks of using mobile devices within their businesses. 34% of VSBs reported integrating mobile devices into their IT systems within the past 12 months, a rate of adoption that is nearly identical to larger businesses (32% of large businesses reported adoption of mobile devices, along with 35% of enterprises).

Moreover, VSBs are actually leading the charge in mobile device security awareness. 31% of VSBs listed “Securing Mobile/Portable Computing Devices” as one of their top-three IT security priorities for the next 12 months. This number seems surprisingly high compared to the global average of 23% of all businesses that have prioritized future mobile device security for the coming year.

It seems this data disputes any claims that VSBs are less savvy about mobile device usage or mobile security risks than their larger competitors. And this is actually easy to explain: a startup workers would use their own devices from the day one, so BYOD paradigm forms there naturally, as it is. And so is – most likely – the awareness of cyberthreats in general: smaller startups are usually launched by the younger people who have got used to IT since their early childhood. But again, being familiar with computers, mobile devices and security issues doesn’t make them experts.

The new survey clearly shows that awareness of online threats is quite high, but still priorities lie elsewhere, not with IT strategy. This most likely means that such low VSB prioritization of IT security is caused by budgets: VSBs just don’t have enough funds to adopt more advanced IT and IT Security measures.

Therefore, Kaspersky Lab advises VSBs to invest in the security measures that will provide the most immediate benefit for the threats they commonly face. According to VSB survey respondents who reported losing business data from a cyberattack, 32% reported “Malware” being the cause of their most serious incident, a rate that is double what was reported by enterprises (16%). Another significant source of data loss for VSBs was traced back to “Software Vulnerabilities,” reported by 9% of VSBs, a rate that is nearly the same as the 8% global average citing this factor. This means software vulnerabilities are a security issue that affects businesses nearly equally, regardless of size.

With these facts in mind, Kaspersky Lab recommends its Kaspersky Small Office Security as an investment VSBs should consider. It is built to include business-grade technologies in a form that doesn’t require IT expertise to operate, and includes the industry’s leading anti-malware engine, along with a software vulnerability scanner to identify any machines that could be exploited by cybercriminals. Kaspersky Small Office Security also includes both malware protection and anti-theft features for mobile devices, which VSBs are rapidly adopting, along with data encryption tools to ensure customer data is protected from theft or accidental deletion.


Further reading: 2014 IT Security Risks summary report (full version)