More than half of all small and medium businesses suffered a cyber attack in the past year, proving once again that it’s not just the big guys hackers have in their sites.

According to a new study by the Ponemon Institute, 55 percent of SMB respondents said they experienced a cyber-attack in the past 12 months, with the most prevalent attacks against smaller businesses being web-based and phishing/social engineering.

Employees continue to be the weakest link, with negligent employees or third parties causing the biggest headaches (41 percent).

Alarmingly, almost one-third of companies in this research could not determine the root cause of the attacks they experienced.

It doesn’t have to be that way. The cost of implementing and managing a multi-layered security solution is well within the reach of most smaller organizations. And it’s significantly less than the cost of a data breach, which for a small business averages more than $40,000 per event.

Most organizations are still slow to make IT security a priority from the top down. Maybe that’s because 35 percent of survey respondents say no person or functional title in their company determines IT security priorities.

Contributing to the problem is the fact that small businesses often don’t have the resources or technical know-how to protect against data theft. More than half of small businesses do not have regular access to security experts, and two-thirds have no training or certification in security.  A study by Spiceworks that polled more than 600 IT specialists in the US and the UK, found that 59 percent of businesses with fewer than 500 employees had no access to a security expert, whether internally or through a third-party contractor or managed security provider. (The big guys, those with more than 500 employees, aren’t doing all that much better – a third of them also state they don’t have access to security expertise.) And when companies have a limited IT staff, or even a “one-man shop” IT department, security winds up on the back burner.

According to the Spiceworks report, only 29 percent of companies have a cyber-security specialist in the IT department, and a paltry 9 percent expect to hire one in the next 12 months. Increasingly, outsourcing is filling the gap, with another 23 percent of respondents using an outside contractor or managed security service provider for cyber-security expertise, with 13 percent expecting to hire a third-party expert in the next 12 months.

But more IT staff alone won’t get the job done.  Security needs to be a centralized priority for all organizations, big and small. A holistic approach comprised of a multi-layered solution that includes better technologies, improved security policies and processes, and employee awareness and training is absolutely critical.

Image source: Spiceworks

Categories: Current News and Events, Data Security