SMBs ill-prepared to thwart cybercrime

Published 24 October 2007

Small and medium-size businesses account for a large portion of the economies of advanced countries, but a recent Webroot report says SMBs have minimal IT staffs and do not apprciate the risks

Talk about carrying a bull’s eye on your back: In most industrialized countries, small-and medium-size business (SMBs) make up 97 to 99 percent of all companies. Yet most of those small to midsize businesses have tiny IT groups, and most of those IT groups do not have security expertise — indeed, they do not even have security policies to manage employees’ personal use of work computers. These grim facts come from a 16 October survey report from Boulder, Colorado-based Webroot Software. For its latest quarterly State of Internet Security report, Webroot surveyed companies with five to 999 computers in six countries: Canada, France, Germany, Japan, the United Kingdom, and the United States.

Now, “SMB” is not an exact term. Each country has a different definition of what constitutes a small or medium-size business. In some countries, an SMB has fewer than 1,000 employees, in some it is sub-500, and in others it is fewer than 100, according to Webroot. In general, however, companies with fewer than 1,000 employees form a large chunk of many countries’ economy. In the United States, companies with fewer than 500 employees account for half of all private-sector workers, and SMBs produce half of the private, non-farm GDP. In the United Kingdom, SMBs account for almost 60 percent of all employment. Webroot CEO Peter Watkins told eWEEK that SMBs are getting hit hard by cybercrime — unsurprising, given the scant IT coverage they have in-house. “When you look at some individual statistics about the number of people they have devoted to areas like IT, it’s amazingly small,” he said. “[Thirty-one percent] of small businesses have two to three people or less devoted to IT.”

Note that we are not talking dry-cleaning shops or bodegas which have no real reason to be online, either. Webroot found that some 50 percent of SMBs engage in some kind of online payment transaction. “Given that so many [SMBs] are online and dependent on the Internet, they face many of the same threats as the very largest organizations do. They’re basically unprotected. Employee data, credit card transactions — they’re extremely valuable, and far more likely [to be stolen from SMBs] because you don’t have the resources larger organizations do to devote to this,” Watkins said. Despite their dependence on their online presence, and given the nature of attacks being made against them, SMBs have potentially dangerous misperceptions of what their vulnerabilities are. Most SMBs rate viruses as being of particular concern, Webroot found. SMBs are at greater risk, however, from spyware and Trojans. These two classes of malware are among the most highly reported infections in Webroot’s survey, but fewer than 50 percent of respondents consider spyware a very or extremely serious threat. Webroot points to the 2006 Annual Report of the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center. According to that report, of all the fraudulent acts reported in 2006, 73.9 percent used e-mail as the mechanism of contact, and 36 percent used a Web page. SMBs are worrying about the wrong things, Webroot maintains. The survey found that some 80 percent of U.S. SMBs rate employee errors, insider sabotage, or data theft as very or extremely serious threats, yet 40 to 60 percent lack a policy or technology to restrict or monitor employees’ personal use of work computers.