Small to medium sized businesses (SMB) are rolling the dice and putting their organizations at risk because of uncertainty about the state of their security, a new report said.
Senior management is failing to prioritize cyber security, which is preventing them from establishing a strong IT security posture, according to the Risk of an Uncertain Security Strategy study conducted by Ponemon Institute.
Of 2,000 respondents surveyed globally, 58 percent confirmed management does not see cyber attacks as a significant risk to their business. Despite this, IT infrastructure and asset security incidences, as well as wider security related disruptions, ended up costing these SMBs a combined average of $1,608,111 over the past 12 months.
The research also identified the more senior the position of the decision maker in the business, the more uncertainty there was surrounding the seriousness of the potential threat.
The idea of “we are so small no one will notice us” seems to be prevailing.
According to the research, there are three main challenges preventing the adoption of a strong security posture: failure to prioritize security (44 percent); insufficient budget (42 percent); and a lack of in-house expertise (33 percent). With the nature of SMBs being small, there is also no clear owner responsible for cyber security, which often means it falls into the purview of the CIO.
The study also reveals uncertainty around whether BYOD and the use of the cloud are likely to contribute to the possibility of cyber attacks. Seventy-seven percent of respondents said the use of cloud applications and IT infrastructure services will increase or stay the same over the next year, yet a quarter of those surveyed indicated they did not know if this was likely to impact security.
Similarly, 69 percent said mobile access to business critical applications would increase in the next year, despite the fact half believe this will diminish security postures.
“Small and midsize organizations simply cannot afford to disregard security,” said Larry Ponemon, president of the Ponemon Institute. “Without it there’s more chance that new technology will face cyber attacks, which is likely to cost the business substantial amounts. CIOs are under pressure to implement new technology that informs agile and efficient ways of working, but this should not take precedence over security. The industry needs to recognize the potential dangers of not taking cyber security seriously and create support systems to improve SMB security postures.”
The study targeted SMBs in the United States, United Kingdom, Germany and Asia-Pacific (Australia, India, China and Singapore) to better understand how such organizations are managing security risks and threats. Key findings of the study include:
• Fifty-eight percent of respondents say management does not see cyber attacks as a significant risk.
• One-third of respondents said they are not certain if a cyber attack has occurred in the past 12 months. Forty-two percent of respondents said their organization had experienced a cyber attack in the past 12 months.
• Respondents in more senior positions have the most uncertainty about the threats to their organizations, indicating the more removed the individual is from dealing on a daily basis with security threats, the less informed they are about the seriousness of the situation and the need to make it a priority.
• CISOs and senior management are rarely involved in decisions regarding IT security priorities. While 32 percent say the CIO is responsible for setting priorities, 31 percent say no one function is responsible.
• Forty-four percent of respondents report IT security is not a priority. As evidence, 42 percent say their budget is not adequate for achieving an effective security posture. Compounding the problem, 26 percent of respondents say their IT staff has sufficient expertise.