An article published yesterday in Business Week argues that Cyber Criminals are targeting small business. The article suggests that small businesses make easy, or easier targets than larger enterprises because small businesses typically cannot allocate the same amount of money and time to information security as large companies. The negative impact of a smaller resource pool is compounded by the fact that small businesses have historically taken a reactive approach towards information security. 

The 2005 Small Business Information Security Readiness Study by the Small Business Security Institute (SBCI) found that small businesses, as a whole, were lacking fundamental information security protection. Of the 1,000 businesses surveyed, 20% had no virus or spam filtering and 60% did not have any encryption on their wireless networks. The authors also found that small firms that allocated a proportional amount of their IT budget to information security were adequately protected…an interesting correlation is found in the fact that businesses with the best protection were also businesses that previously suffered a security breach.

SBCI is planning another study for 2007, but they maintain the statistics found in the 2005 study represent what is occurring in the market.

 How can small businesses ensure that they are protecting their information and infrastructure from malicious attacks?

1) Allocate an adequate amount of resources ($) to proactively protect information- As a rule of thumb, small businesses should expect to spend approximately $200 per month, per user for information security. The amount spent on security should rise every year in proportion with the amount spent on new IT hardware (PCs, Laptops, Servers etc.) and software.

2) Continuous Administrator education on threats- Protect against threats at the network and hardware levels, but avoidance information should always be passed down to the user base. Users are notoriously undereducated on how to avoid security breaches…especially phising scams and other social engineering scams designed to deliver web based malware.

3) This is related to 2 above…lock down your perimeter(s)- Email Filtering, IM Filtering, Web Filtering, Wireless Network Encryption and Mobile Messaging Protection should all be robust and employed at all entry points.

4) Be ready- Remember, it is far cheaper and far easier to have a proactive info security policy than it is to recover from a breach.

5) Back up critical data offsite. Most authors do not present data backup as a security issue…but it is (in fact, it is more than a security issue, but it definitely intersects with security). If there is a breach (or natural disaster for that matter), you need to know that your data is safely backed up and easily accessible somewhere far from the reach of the Cyber Thugs.

Don’t become a small business info. security statistic.