The majority of Canadian small and medium businesses (SMBs) may be too confident about their security against Internet breaches, a recent study by Trend Micro Canada suggests.
“I don’t think we found out anything that was really shocking, but I think it confirmed some suspicions we had,” said Ian Gordon, director of marketing and channel for Trend Micro Canada. Of the SMBs surveyed, 61 per cent called their security measures “adequate or better,” with 19 per cent calling it “state of the art,” according to the survey results.
“We’ve been in Canada for a little while, but we didn’t think we really understood what small and medium businesses thought about internet security,” Gordon said. So, the company launched its first study of SMB attitudes toward their Internet security, a telephone survey conducted in late May of businesses with fewer than 500 employees. For this study, Trend defined Internet breaches loosely, including malware attacks or any other scenario where company information could have been stolen, according to Gordon.
Among SMBs who had experienced security breaches, there was naturally a better understanding of the consequences, Gordon said. About 12 per cent of SMBs have experienced breaches, according to Trend Micro.
But since so many hadn’t experienced any problems, they generally weren’t as afraid. Among those that have not been victimized, the potential consequences are downplayed with only 58 per cent assuming major loss of time and productivity is “very or somewhat likely,” according to the survey results. “You never think your house is going to get broken into or your car’s going to get stolen,” Gordon said. “I think the same thing happens in security.”
“It’s clear to us that they’re relying a lot on their resellers,” he added, so education coming from the channel will have an impact on these SMBs’ attitudes. “We need to make sure that we’re spending time with some of our smaller resellers who might not get as much of our attention,” he added.
It’s also important for resellers to point out that security is not really insurance, but more prevention, he said. “We buy insurance to protect our homes and our cars and our lives against an event that could create loss. If you buy good security products, you can stop it from happening in the first place.”
Cost sensitivity has always been an issue, but now, convincing SMB customers to invest in the right security is even more challenging with so many free options out there, said Jeff Jackson, principal consultant with Vancouver-based Acumen Technologies, Ltd., a Trend Micro partner.
“When you have a small organization that’s more of a start up, they’re very much into using tools that are free,” Jackson pointed out. “They are aware of security risks, but we are seeing that the financial part of this is really clouding some of the judgment.”
Software-as-a-service (SaaS) cloud offerings for security can be appealing to SMBs for that reason, according to Jackson, since companies can save money and manpower by outsourcing their security and having someone else worry about it. “We really need the technology community to have more awareness of the cloud and provide those services at a reasonable rate,” Jackson said.
There is a prejudice that attackers only go after large companies, said Martin Lee, a senior software engineer with Symantec Corp. based in the U.K. “In fact, it’s not true,” he said. Symantec has pointed out that SMBs are actually vulnerable to targeted attacks. “There is evidence that the attacker actually knows in advance which computer they wish to infect,” Lee said. In fact, 40 per cent of targeted attacks since 2010 have been on SMBs, according to the company.
“Some SMBs are really at the forefront of innovation and high tech industries,” he said. They may hold intellectual property or information that is valuable to a hacker, he said. Or, because many SMBs consult with larger corporations or government, they can be seen as an entry-point for valuable information.
“They are seen as the weak point or point of attack to another organization,” Lee said. “It’s very important for SMBs to consider their security and also to consider that they’re not immune from the high profile attacks that are making the news.”
Using recent high-profile attacks is actually a way to help SMBs understand risks, Jackson said. “We never used to hear about security breaches,” Jackson said, but the prevalence in the media has actually helped the cause for convincing SMBs to improve their security. “Using those examples and really educating customers into cyber crime is a very important piece.”