Are SMBs Easy Pickin's for Cyber Criminals?
As to just how important reliance on the Internet is to SMBs (small and medium-sized business), the study found that:
"SMBs have become very reliant on the Internet, with 92 percent of respondents claiming that online access and availability is very important to the running of their businesses."
The study also found that 21 percent of the businesses that responded claimed to have suffered at least one "IT security attack;" and one third of those businesses had suffered more than four attacks in the last three years. It took 26 percent of businesses a full week to fully recover from their most-recent attacks. Additionally, 21 percent of "businesses surveyed felt that an IT security could put them out of business."
As to SMBs' susceptibility to cyber security breaches, such as viruses, spyware, and hacker intrusions, McAfee concluded:
"There is predominant belief that that SMBs on both sides of the border (and in Europe) are too small to be of any value to cyber criminals, and most SMBs are confident that they are adequately protected by default settings in their IT equipment."
McAfee's overall conclusion, however, is based on a single statistic:
52% don’t think they are well known enough to be a target of cyber criminals
Once the specifics of this sentiment were explored deeper, however, the numbers start to drop below the 50-percent mark:
- 46% do not think they could make a cyber criminal money
- 45% of SMBs do not think they are a valuable target for cyber criminals
- 44% of SMBs think cyber crime is an issue for larger organizations
- 35% of SMBs are "not concerned" about being a target of cyber crime
- 34% don’t think their information has value outside the organization
While the numbers do indicate a sizable percentage of SMBs that might be taking their security for granted, we're not sure that the numbers justify McAfee's sweeping generalization that "SMBs in the United States and Canada are burying their heads in the sand, living with the belief that the small they are the less of target they are to cyber criminals."
A much more likely reason for a laissez faire attitude and potentially inadequate security protection is a function of the limited amount of time SMBs actually devote to proactively managing security on their networks. In regards to the amount of time that SMBs devoted to this, the largest percentage of respondents (39 percent) said they only spent one hour per week. This at least partially explains then why 50 percent of the survey's respondents said that they "typically accept the default settings" on their IT equipment.
As to where the attacks are being targeted, McAfee reports:
"Cyber criminals are increasingly turning their attention to technologies such as Voice over IP (e.g. Skype), smartphone software (Blackberrys) [sic] and new virtual systems. These technologies are being progressively adopted by SMBs as they offer substantial cost-savings and flexibility, making SMBs even more likely to become targets."
The report concludes that SMBs are just as susceptible to cyber attacks as big businesses are. This is a bit of a leap in faith, considering that McAfee provides no hard evidence comparing the percentage of security breaches in large companies versus SMBs. Of course, not all security breaches are reported or made public, and as McAfee points out, "an attack focused on an SMB will often be for a smaller amount (and will therefore be below the radar of organizations like the FBI, who focus on larger crimes)." We agree that SMBs probably need to do more to improve their IT security measures, but we're still not convinced that SMBs are just as lucrative targets as big businesses are--as McAfee would have us believe.