Internet connectivity has become an imperative for U.S. small businesses, yet most companies lack formal policies for Internet security and even fewer have contingency plans in the event of a security breach that could expose payment-card and other data, according to the results of a survey conducted by the National Cyber Security Alliance.
Two-thirds of respondents said they’ve become more dependent on the Internet over the past 12 months and 55% said that losing Internet access for 48 straight hours during a regular business week would be disruptive to their business. In addition, 38% said such a connectivity outage would be “extremely disruptive.”
Still, 87% of small and medium-sized businesses do not have a formal, written Internet policy for employees. Despite this, an almost equal proportion of respondents (86%) believe they are doing enough to protect consumer and employee data.
Those attitudes reflect a deeper issue among SMB owners, according to Ellen Richey, Visa’s global head of enterprise.
“They don’t feel as if they’re targets…there’s an awareness challenge there,” she said during a panel at an NCSA forum in New York, where the survey results were released on Monday.
In reality, small businesses are four times more likely to be the target of hackers, said Laura Garcia-Manrique, another panelist and the vice president of SMB customer experience at Symantec, which co-sponsored the survey.
“There is a misconception where small businesses think they won’t be a target of an attack,” Garcia-Manrique said.
In the aftermath of breaches like the attack earlier this year on card processor Global Payments that may have exposed millions of cards to hackers, data security standards have become the subject of legislative proposals in Congress. Monday’s forum was held to promote October as National Cyber Security Awareness Month, an annual initiative started in 2004 by the U.S. Department of Homeland Security and the nonprofit NCSA.
The survey was conducted in late September to analyze the cyber security practices of companies with 250 or fewer employees. When asked about the impact of a data breach, 47% of respondents said they believe it would be viewed as an isolated incident and have no negative impact. But according to the NCSA, many SMBs fail after a data breach.
The survey also showed most SMB owners aren’t prepared to handle a security breach, with 59% of respondents reporting they do not have a contingency plan outlining procedures to respond and report a data breach like the loss of customer and employee information, credit/debit card data or intellectual property.
Richey added that while Visa has an extensive effort to educate small businesses about Internet and data security, only 57% of companies were aware of the card network’s resources about voluntary payments data standards.
Further complicating matters is a perception among many small business owners that the effort required to maintain sound data integrity practices outweighs the benefit of cyber security. Richey said that while 90% of data breaches on the Visa network occur at small businesses, there’s a mindset that security is getting in the way of business.
“What you have to do is difficult to accomplish,” is a common attitude toward data integrity among many business owners, she said.