According to a Kaspersky Lab survey of businesses worldwide, very small businesses (VSBs) with fewer than 25 employees are the least likely to view “IT Strategy” as a top strategic concern. Only 19% of VSBs worldwide reported IT Strategy as one of their top-two strategic concerns, compared to 30% of businesses with more than 100 employees, and 35% of enterprises with 5,000 employees or more. Alarmingly, this often-neglected business category includes internet and data security policies.
These survey results, found in Kaspersky Lab’s 2014 IT Security Risks summary report, illustrate a key challenge for VSBs. An effective IT strategy is a vital component of any successful business, and if managed properly, can enable a small business to accomplish big things. But the reality is that VSBs, which are often startups struggling to establish themselves, most often don’t have the money or IT expertise to properly implement vital IT components like security software. A new business owner will most likely pour all their resources into growing the sales of their core product or service, since investments in business infrastructure are meaningless if the business itself fails. But at what point should a VSB begin building an IT and security plan for the future, and what are the potential consequences if they wait too long?
According to IDC estimates, there are approximately 80 million businesses worldwide that operate with fewer than 10 employees. Many of these businesses adopt the “security by obscurity” mentality, believing that they are too small to be targeted by cybercriminals and don’t have any data that cybercriminals would want. But Verizon’s 2013 Data Breach Investigations Report, which includes data from worldwide forensic investigations, found that of the 621 data breaches analyzed, 193 breaches – more than 30% – occurred at companies with 100 or fewer employees1. It is reasonable to assume that VSBs make up a sizable portion of these victims.
Business owners must understand that as soon as they begin processing credit card payments, storing customer information, or even creating plans for new products, they possess information that is valuable to cybercriminals. In fact, some cybercriminals may prefer these “soft targets” that are known to have poor IT protection. The resulting payoff for each victim attacked is smaller, but it can require less effort for the cybercriminal to successfully attack numerous VSBs instead of a single larger business. However, a key difference is larger businesses will have the funds to recover from an IT security incident, but costs of lost customer data, significant time spent offline, and associated clean-up expenses can add up to thousands of dollars depending on the type of incident, and be enough to drive smaller business to bankruptcy.
According to Kaspersky Lab’s survey, VSBs understand the dangers of online threats. When asked about their top concerns associated with business IT, 35% of VSBs ranked “Data Protection” among their top-three choices, the highest ranking amongst all business segments (26% of medium-sized businesses included “Data Protection” among their top-three choices, and 29% of enterprises did the same). For the same question, VSBs also ranked “Ensuring Continuity of Service for Business Critical Systems” as a top-three IT department concern at a rate comparable to larger businesses (only 2% less than the total average). Clearly, VSBs are aware that their IT strategy plays a vital role in protecting sensitive data and keeping their daily business operations from being crippled by malware and cybercriminals.
Also, VSBs are well-informed about the benefits – and security risks – of using mobile devices within their businesses. 34% of VSBs reported integrating mobile devices into their IT systems within the past 12 months, a rate of adoption that is nearly identical to larger businesses (32% of large businesses reported adoption of mobile devices, along with 35% of enterprises). Moreover, VSBs are actually leading the charge in mobile device security awareness. 31% of VSBs listed “Securing Mobile/Portable Computing Devices” as one of their top-three IT security priorities for the next 12 months. This number seems surprisingly high compared to the global average of 23% of all businesses that have prioritized future mobile device security for the coming year. It seems this data disputes any claims that VSBs are less savvy about mobile device usage or mobile security risks than their larger competitors.