In late October, the National Cyber Security Alliance (NCSA) co-sponsored a study with Symantec, the software security giant, about the cyber security policies of small businesses across the nation. The report, which was called the 2009 National Small Business Cybersecurity Study, surveyed 1,500 small businesses in the United States, and found that only 28 percent have some sort of formal Internet security policies, and a mere 35 percent provide some sort of Internet safety and security training to employees.
Additional data found that a majority of today's small businesses are mishandling valuable information – such as sensitive employee and corporate content, and confidential customer information, like credit cards and financial records - by not properly protecting it from potential cyber threats. Interestingly enough, the study reported that 65 percent of the businesses surveyed said that the Internet is vital to their success, yet they are doing very little to ensure that they do not become victims of a cyber attack.
Michael Kaiser, executive director of the NCSA, said the reason that this study was conducted now was because it has become increasingly clear to people in the cyber security field that "small and medium-sized enterprises are being targeted for attacks more and more." The shape of e-crime is shifting not only from phishing, or randomly collecting password and logon data, but also from targeted attacks in which hackers are collecting and re-selling data to interested parties, Kaiser added.
"A lot of data breaches go on that we don't know about," Kaiser said. "Data can be lost in a lot of different ways, [from] external hackers to someone leaving a laptop in a restaurant that gets stolen. Given the fact that so few small businesses have security policies, and almost half are not doing core protections – what is making them feel safe?"
Derek Manky, project manager of cyber security and threat research for network-security appliance company Fortinet, said, "The most common cyber attacks hackers use are spam emails, poisoned documents, and scareware and malware threats for fake anti-viruses that actually load viruses on to the main servers and infect entire networks. He suggested that more small businesses take the time to implement cyber security policies, and workshops or training seminars to educate employees on the risks of cyber threats.