Risk of an Uncertain Security Strategy, conducted by Ponemon Institute and Sophos, interviewed 2,000 worldwide respondents in SMBs and revealed that 58 percent believe management does not see cyber attacks as a significant risk.
Despite this, IT infrastructure and asset security incidents, as well as wider security-related disruptions, were found to have cost these SMBs $1,608,111 on average over the past 12 months.
One third of respondents said they did not know if a cyber attack had occurred in the past 12 months, while 42 percent said their budget was not adequate for achieving an effective security posture.
“The scale of cyber attack threats is growing every single day,” said Gerhard Eschelbeck, Chief Technology Officer, Sophos. “Yet this research shows that many SMBs are failing to appreciate the dangers and potential losses they face from not adopting a suitably robust IT security posture.
“Today in SMBs, the CIO is often the only information officer, managing multiple and increasingly complex responsibilities within the business. However, these “OIOs” can’t do everything on their own and as employees are demanding access to critical apps, systems and documents from a diverse range of mobile devices, it would appear security is often taking a back seat.”
According to the research, there are three main challenges preventing the adoption of a strong security posture: failure to prioritise security (44 percent); insufficient budget (42 percent); and a lack of in-house expertise (33 percent). In many SMBs there is also no clear owner responsible for cyber security, which often means it falls into the purview of the CIO.
Sophos recommends that:
• Organisations concentrate resources on monitoring their security situation in order to make intelligent decisions. While assessing where they stand on the security continuum, organisations need to focus on monitoring, reporting and proactively detecting threats.
• Establish mobile and BYOD security best practices. Carefully plan and implement a mobile strategy so that it doesn’t have an impact on the overall security posture.
• Organisations should look for ways to bridge the gap created by a shortage of information security professionals. Consider ways to free-up time for in-house resources, including a move to cloud technologies, security consulting and easy-to-manage solutions.
• The cost of cyber attacks should be measured, including lost productivity caused by downtime. Work with senior management to make cyber security a priority and invest in solutions that restore normal business activity more quickly for a high return on investment.