Global Study Identifies SMB ‘Security Gap’

Call it the SMB security gap.
A new study from Symantec finds that while small and midsize businesses are acutely aware of today’s security risks, a large number have yet to take even the basic steps needed to protect themselves. Further, the study shows that simple protection measures could have prevented many of the security breaches reported by these companies.
According to the study, based on surveys of 1,425 SMBs worldwide (defined as companies with 10 to 500 employees) in the first quarter of 2009, the lack of a dedicated IT staff and tight budgets were the main reasons for the lack of action. Respondents also cited a lack of employee skills as a top barrier to security.
The study finds that SMBs have no illusions about today’s risks. Asked how concerned they were about a wide range of security issues, from spam to data breaches to insider attacks, respondents consistently described themselves as “extremely” or “somewhat” concerned.
So what does it mean to say that SMBs have yet to take the basic steps to protect themselves? According to the study:
  • 59% of respondents said they have no endpoint protection (i.e., software that combines antivirus with advanced threat protection technologies such as desktop firewall and intrusion prevention for laptops, desktops, and servers).
  • 47% do not back up their desktop PCs, leaving their important information at risk.
  • 33% lack even basic antivirus protection.
What were the leading causes of the security breaches that these SMBs experienced? The reasons most frequently cited were:
  • system failure
  • a lost or stolen laptop, smartphone, or PDA
  • human error
  • the loss or theft of backup tapes or devices containing sensitive data
  • the use of improper or out-of-date security solutions.
Looking ahead, half of the respondents said they plan to increase their IT security and storage spending in the next 12 months even in these tough economic times, while 41% said their budgets would remain the same.

Narrowing the security gap

With security threats becoming more complex and targeting critical business information such as confidential documents and customer data, it is becoming increasingly apparent that SMBs need a higher level of protection. Antivirus security products are simply no longer adequate. SMBs today require protection against new kinds of spyware, malware, and spam.
In addition, SMBs must ask themselves if the way they back up critical information is sufficient to protect themselves from system failures and disruptions and data loss. A recent survey of SMBs by Rubicon Consulting found that, of the companies that lost data, approximately 30% subsequently lost sales, 20% lost customers, and 25% claimed the data loss caused severe disruptions to the company. The same survey found that about 20% of the SMBs interviewed conduct no server backup whatsoever.
So what can SMBs do to narrow or close today’s security gap? Symantec recommends the following steps:
  • Stay informed. Familiarize yourself with published threat reports about the security landscape. The Symantec Internet Security Threat Report is a great way to stay informed on current and future trends and threats. The State of the Data Center Research Report and the Underground Economy Report should be consulted as well.
  • Use trusted advisors for needed expertise. Trusted advisors such as IT consultants or resellers help businesses match their IT needs with appropriate solutions. This is especially important when reduced staffing is an issue.
  • Use layered security. Employ in-depth defense strategies to guard against single-point failure in any specific technology or protection method. This includes the deployment of antivirus and antispam software, firewalls, intrusion prevention technologies, device and application control, and security patch updates.
  • Protect end to end. SMBs must actively protect all their devices against unknown threats, including laptops, desktops, messaging servers, and mobile devices.
  • Back up data. IT systems can be brought down for a number of reasons, including natural disaster, human error, hardware failure, etc. It is critical to back up data regularly and store extra copies of this data offsite. Encrypting those backup stores adds an additional layer of protection.
  • Protect from the inside. Protect your company from data loss, random theft, vandalism, and employee malice. Put policies and controls in place to automatically safeguard company data and prevent sensitive information from leaving the company network.
  • Don’t forget physical security. SMBs can strengthen their organization’s security with practices such as using the screen-locking feature when away from the computer, shutting the computer off when done for the day, locking laptops with a cable, and not leaving passwords on sticky notes next to the computer.
With over 25 years of experience in security and backup and recovery, Symantec offers advanced security and availability technologies. Symantec’s newest security offering, Symantec Protection Suite, is the only suite in the market today that brings together comprehensive security for laptop and servers, messaging security, and backup and recovery. Symantec’s integrated solutions deliver proven protection for business information and computers; they help defend against aggressive new malware and spam threats, and back up and rapidly recover computers and information in the event of a problem.


Small and midsize businesses clearly grasp the importance of security risks today. But in too many cases they are not acting to protect themselves. Basic safeguards are not in place, putting information at risk.
Symantec Protection Suite combines industry-leading security solutions for information backup and recovery to secure SMBs’ systems and back up their data comprehensively. With Symantec Protection Suite, SMBs can do business confidently, knowing their information is protected