Everyone thinks it’s only the big businesses that are attacked on the Internet. In fact earlier this year, the Department for Business, Innovation and Skills (BIS) reported that 93% of large businesses fell prey to a cyberattack in 2012.

The successful attacks hit the headlines but what about small businesses, thats those from 200 employees down to the self-employed?

Before we do that, re the last sentence again. The successful attacks are unseen until the details are posted on the Internet, Most breaches aren’t detected until its too late, so bear that in mind while you have the complacent smile. Have you checked you PayPal account and credit card statements because everything under £100 is not covered by card insurance, and most people don’t check the small amounts, Now you are thinking read on…………

Well, small and medium-size businesses (SMBs) also suffered, with 87% being targeted – up 10% from the previous year.

Now, the reasons why SMBs are at risk has been examined in detail in a recent Sophos-sponsored report by the Ponemon Institute.

The report – The Risk of an Uncertain Security Strategy – surveyed over 2,000 IT security managers within organisations employing up to 5,000 people.

Given the job roles of the respondents, some of the findings are quite staggering:

44% of said that a strong security policy is not a priority

58% claim management do not see cyber attacks as a significant threat.

Other barriers to implementing an effective IT security strategy were also identified with 42%, unsurprisingly perhaps, citing a lack of budget as a large factor. Another major issue identified by the survey was a lack of skilled personnel.

Other findings in the Ponemon report are even more concerning.

Considering the fact that respondents in the survey are all responsible for managing the security function, I find it quite alarming that 1 in 3 admitted that they did not know whether their organisation had been subjected to a cyber attack in the last twelve months. Such a lack of knowledge would seem to suggest a deficiency either in the monitoring and reporting of incidents or with the IT management itself.

Also, the Ponemon Institute discovered that those in more senior positions seemed to have the least knowledge of the threats posed to their business, which is again a concern as they are likely to be the decision makers who would deem whether a particular threat should be a priority or not.

Interestingly, 31% of the individuals surveyed said that there was no particular person within their company with responsibility for making security decisions. You wonder who has the job of issuing keys or turning the alarm on and off.

Another discovery was that SMBs struggle to assign a monetary value to information assets. If an organisation does not apply a cost to its assets then how can it determine their value and, hence, the appropriate level of security protection to apply to it?

The topic of mobile devices were of concern to the individuals surveyed, especially given the widespread adoption of BYOD which they reported. Many respondents said that their organisations are planning to invest in technologies to reduce BYOD risks as a result.

51% of respondents did not equate regulatory compliance with a strong security position, given that remaining compliant shouldn’t be the goal and rather should be a by-product of good security.

So what can SMBs do to improve their knowledge of cyber threats?

1. Proactive monitoring, detection and reporting on threats to enable quick and incisive decision making.
2. The establishment of mobile and BYOD policies
3. Where in-house security resources are limited, better planning  consultants and easily managed resources can help to free up the organisation’s information professionals.
4. Costing of information assets and downtime so that senior management can invest in cost effective solutions to protect them.
5. Working with the higher echelons of management within the business in such a way that they place a higher priority on cyber security.