First level navigation Menu
Teamwork at the office.

Why small businesses need to get serious about information security

by ​David Levine
It seems that many small businesses have a “bigger fish to fry” mentality concerning information security.

Small and midsize businesses (SMBs) tend to think they’re safe from data security threats because hackers and digital criminals surely must have more to gain from targeting large firms, financial institutions and corporations.

Unfortunately, they couldn’t be more wrong. In fact, small and midsize businesses are quickly becoming hackers’ favorite targets — precisely because SMBs believe they’re not in any danger.

​Small and midsize businesses are quickly becoming hackers’ favorite targets — precisely because SMBs believe they’re not in any danger.

SMBs unprepared

In a way, “small” business is a misnomer. SMBs account for half of GDP1 in the U.S., and nearly 60 percent of GDP in many European and Asian nations. And the customer information and financial data they possess and process is just as vital and valuable as it is in any large organization. The customer that has their data exposed isn’t going to care how large the breached company was.

Yet, according to a white paper2 by the cyber security firm FireEye, assets possessed by SMBs are startlingly vulnerable:

  • 60 percent of SMBs don’t consider cyber attacks a big risk
  • More than 40 percent3 lack a sufficient IT security budget
  • A mere 36 percent4 have data security policies

There is a combination here of wishful thinking and practical limitations. On the one hand, SMBs tell themselves a harmful breach won’t likely happen to them. On the other, even if they do respect the danger, they don’t have the resources to mount an adequate defense.

As FireEye says, “Small and midsize businesses are facing the same cyber threats as large enterprises, but have a fraction of the budget to deal with them.” At a small company, IT duties might fall to someone whose primary role is something entirely different; that person ends up handling the company’s tech because, well, someone has to. Even when there is a dedicated IT staff, it can be just one or two people, charged with everything from fixing the faulty Wi-Fi to keeping all company software up to date to making strategic plans for the company’s data foundation. And with a massive to-do list like that, defending against data-stealing robots and unseen criminals on the other side of the world may not seem like a top priority. Not to mention the skill set required — large companies have a difficult enough time finding and retaining top-notch security resources, let alone an SMB.

This is the situation cyber criminals are keen to exploit. Global digital security firm Symantec reports5 that 31 percent of the victims of cyber attacks in 2012 were businesses with fewer than 250 employees — triple the number of attacks on SMBs in the previous year.

The writing is on the wall: If they rely on wishful thinking or meager protection, small and midsize businesses simply will remain unsecure and prime targets.


Partners can help

The first step for every small business is to understand and accept the risk: Breaches are definitely possible — you might even think of them as inevitable — and preparation is absolutely necessary. The next step is to assess your data security capability. Do you have the staff and budget to make security a priority? And can you keep track, in the midst of your ongoing work, of software patches and antivirus updates? New breeds of malware emerge every day — is your security platform equipped to detect them?
It takes powerful, skilled and high-demand resources along with steady monitoring and maintenance to confront today’s threats. For businesses who find it hard to carry the security load on their own, an outside partner in IT services can be a critical resource. A Managed Security Services Provider (MSSP) can handle round-the-clock network monitoring and crucial patches and updates — precisely the kind of IT work that can easily fall through the cracks (even at large companies). With an MSSP on the job, small businesses don’t need to become IT experts. A third party can leverage its expertise to find security solutions that fit a company’s needs, allowing the owner and staff to focus on the duties and ambitions that make the business one worth protecting in the first place.

Investing in a partnership can be less expensive than doing it all in-house — and it’s certainly less expensive than doing nothing and letting your data walk right out the door. On average, an SMB loses more than $8,000 per online data breach6, and, according to National Cyber Security Alliance and Symantec, 60 percent of SMBs that suffer data breaches end up closing their doors within six months. These are consequences that no business — especially a small one — can afford.

Strengthen IT security for your small-to-midsize business

Start the conversation about how you can increase data protection for your small or midsize business before it's too late.
David Levine
David Levine, Vice President of Information Security & CISO for Ricoh USA, Inc., helps customers limit risk and enhance their information security. Levine’s areas of expertise include operational security, access management, eDiscovery and litigation support, and HIPPA compliance. An avid auto racer, Levine holds a Bachelor of Arts degree in Information Systems with minors in Computer Science and Business from Eckerd College.
1 David C. Michael, Neeraj Aggarwal, Derek Kennedy, John Wenstrup, Michael Rüßmann, Ruba Borno, Julia Chen and Julio Bezerra, "Lessons on Technology and Growth from Small-Business Leaders." The Boston Consulting Group, October 5, 2013.
2 "Big Threats for Small Businesses: Five Reasons Your Small or Midsize Business is a Prime Target for Cybercriminals." FireEye, Inc., 2013.
3 "The Risk of an Uncertain Security Strategy: Study of Global IT Practitioners in SMB Organizations." Ponemon Institute and Sophos, November 2013.
4 "America's small businesses must take online security more seriously." National Cyber Security Alliance and Symantec, October 25, 2012.
5 "Internet Security Threat Report 2013." Symantec, April 2013.
6 "Report: Small Business Owners Don’t Prioritize Threat of Data Breach." My Digital Shield, June 24, 2014.