Many of today's small businesses use PCs and a server network to facilitate their operations. Important company information is stored in electronic format on these networks, and daily operations are dependent on the network being both available and secure. In many cases, these small businesses ignore or are unaware of the risks that could compromise the safety of the data. To better understand these issues, two hundred of these small businesses were interviewed about their network security. Companies ranged from those with ten employees or less, to those with over a hundred staff members.
Over half of the survey respondents believed that their network was adequately safe or very secure. A large number of respondents did admit that they doubted their defenses against an attack. This isn't too surprising, as nearly all businesses have experienced some type of security threat in the last year, from lost computers or back-up takes, hacker attacks, viruses, or theft by employees.
The top three threats reported were:
1) Trojan horse or virus attacks
2) Stolen or lost computers, including data storage devices
3) Employee theft or hacker attack
Company defenses reported include:
1) Virus Protection
2) Firewall
3) Spyware Protection
4) Spam Filters
Recommendations:
Most companies reported that they lacked a smart password policy, automated patch management, and employee network use policies. Generally, many of these businesses don't have full protection against an attack, and have not yet had to put their defenses to the test.
There isn't one single fix to ensure secure continuity of operations on a network. However, we recommend a layered approach in managing these pressing security threats. This layered approach examines vulnerability in different areas including hardware, software, processes, and training. Every layer added another level of protection to the information environment.
1) Blocking network-based attacks
2) Blocking host-based attacks
3) Eliminating vulnerability
4) Supporting authorized users safely
5) Tools for maximizing effectiveness and minimizing losses
To assure the continuity of your business operations, regular testing of these security measures is required.
Level of Overall Security:
Over half the respondents stated that they thought their network was secure enough or better. 30% of the remainder thought their network was only somewhat secure, and over 10% confided that their network was not as secure as it should be.
These small businesses tend to believe that their network is relatively secure: 63% of businesses with less than ten employees and almost 75% of those with between eleven and twenty-five staff members. The larger companies were not as sure of their defenses, with over half of those with fifty to one hundred and 44% of those with over a hundred employees felt secure or secure enough. In the fifty-one to one hundred staff category, over 20% reported that the network was not as secure as should be. In general, the bigger the company, the larger the network - and the greater the number of security risks it must defend against.
Experienced Threats:
The respondents reported on security lapses or attacks that they'd experienced over the last year. The survey showed that Trojan horses or virus attacks are the most common threat to the network, with about half reporting experiences with these issues in that time. The larger companies reported at 40%, the lowest rate, which is indicative of better defenses. Over 60% of the smallest companies reported virus-based attacks. Loss of company information from theft or loss of storage devices appeared to be a minor threat for smaller companies, but this risk increases with company size. Over 33% of the larger firms reported this sort of experience. Hacker attacks were most often experienced by firms with less than ten employees and those with over a hundred. It seems the smaller networks are more vulnerable, and the largest ones are high-profile, with a greater chance of becoming a target. Unfortunately, staff members can create a security risk themselves; about 10% of businesses reported that they had experienced unauthorized access or theft in the allotted time frame.
Devices and Procedures:
Good procedures, processes and systems can help defend against security threats. In the survey, respondents were asked which security methods were in use. Most reported that they had virus protection and firewalls. Around 25% lacked spam filters and spyware removal, leaving networks open to malware which ranges from dangerous to annoying. Under 50% have patch management or a smart password policy in place. This smart password system uses passwords with a mixture of normal and special characters which are frequently changed. As compared to the largest companies surveyed, smaller businesses are less-often implementing network use policies for employees. Over 80% of the larger companies have defined guidelines for proper and improper network use. These guidelines attempt to lower the amount of network activity unrelated to the business, which result in increased security risk. Many of the respondents use wireless networks. Wireless networks are some of the most vulnerable access points if not well-secured. Only a few companies reported that they use all the top-priority security measures listed in the survey.
Testing:
No security device or feature can be known to provide real defense until it's been tested. Anti-virus specifications could be out of date, a hole could exist within a firewall, or staff members could not be using the correct practices for a safe and secure network. About 25% of respondents indicated that either they couldn't remember the last time they tested their security, or didn't know that they ever had. This seems to indicate that while many have implemented security defenses, they can't be assured that the expected protection is actually provided. The very smallest companies least-often tested their security measures. About 10% of businesses had tested security, but not for over a year. As the threats change over time, dangerous lapses can occur without periodic testing. Around 33% of respondents reported that they'd tested their security measures within the last month. Validation of network security elements on a regular basis is important to system integrity in an overall continuity plan. It is unfortunate that usually a company only examines its level of exposure after a damaging event which negatively affects the business.
Nick Pegley is a marketing expert with All Covered: Technology Services Partner for Small Business, providing information technology consulting and IT services in 20 major U.S. metro areas. Outsource your procurement, installation and technical headaches..
