The National Cyber Security Alliance (NCSA) partnered with Symantec to conduct an online safety survey study of Small to Medium businesses. It was just released October of 2012 and as surprising as some of the data points are, they really shouldn’t be. The total representative sample group was 1,015 US based SMB’s (250 employees or less) and its margin of error is +/- 3.1 percent for the sampling error.
The report actually covers a wide range of Information Security concepts, from: internet usage, device management (obviously getting more insight into the growing bring your own device (BYOD) dilemma plaguing companies) and other concepts like intrusion detection and mitigation. I will obviously focus on those areas that best pertain to the domain I’m interested in, web security.
Some interesting statistics:
- 46% of companies had a website
- 82% of customer activity is focused around finding products / services
- 38% of customer activity is around making purchases
- 24% of customer activity is focus on making a payment for a service
- 69% of those SMB’s manage their own website
- 13% felt a corporate website being hacked would have a lasting impact
- 27% felt that if their online brand were used for phishing that would have a lasting impact
- 45% felt that malware / viruses would have a lasting impact
- 66% were responsible for their own cybersecurity
- 75% do not use any type of multifactor/strong/two-factor authentication to access company information
- 83% do not have any change password policies
- 65% think that it is unlikely that they would loose any customers because of insecurities in their website
- 66% are not concerned about internal or external threats
- 52% are satisfied with their security posture
- 50% feel they are investing enough in security
- 51% feel they are doing enough for their customer’s data
- 76% of companies feel safe against cyber-security breaches
Again, while I would like to say that I was surprised, I am not.
I am more disappointed and saddened by these numbers than anything, if nothing else it only confirms opinions and beliefs around the current state, or lack there of, of Small to Medium Businesses. Specifically with their state and awareness around Information Security.