Very small businesses, including private enterprises and companies with fewer than 25 people involved, are the foundation of the economic structure of the developed and of many developing countries without restrictions on free enterprise. According to the analysis by the IDC, today there are about 80 million businesses with fewer than 10 people on their staff, a few million more companies are comprised of about 10-20 employees.
In most cases these businesses are not too concerned about the presence of information technology specialists on the staff for both objective and subjective reasons. Only 35% of these companies, according to a survey by B2B International, have an IT specialist on their staff, 20% employ occasional system administrators. Another 20% of small businesses prefer to rely on the expertise of their own employees no matter how imprudent such an approach is.
There are several reasons for that. Start-ups are interested, first of all, in their output and the possibilities for selling their product. Small businesses usually decide to protect their own infrastructure after an incident has occurred. Before that, IT security is not the priority for business owners at all.
Meanwhile, a VSB has even more of a need for IT protection than representatives of larger business. Many businessmen believe that small companies are of less interest to hackers than large ones. But it is a myth; the reality is exactly the opposite. Attackers are well aware of the fact that small businesses are usually less protected. And as a rule there is something to steal, especially if the company processes and stores other people’s personal data.
According to the 2013 Data Breach Investigations Report by Verizon, 193 of 621 incidents (over 30%) occurred in companies with fewer than 100 employees.
According to the survey of main corporate risks in summer 2013 by B2B International and Kaspersky Lab a successful attack at the company’s IT infrastructure may result in $36,000 worth of damage. This amount is a sum of lost business opportunities, the fee of experts invited to cope with the situation, and the cost of new equipment. Small companies may find themselves on the verge of bankruptcy after that.
Essentially, no company that applies information technologies for work (even though there are just a few computers for receiving orders, bookkeeping and emailing customers and suppliers) may be considered “too small to be noticed” by hackers. If a company has something to offer to potential clients then cybercriminals are also ready to show their interest, whether it is intellectual property, the personal data of customers with access to their bank accounts, etc. If your company processes other people’s personal information it should be encrypted, otherwise the only matter of its leaking is time.
Providing IT security must be a part of the business plan along with developing products or offering services, defining the target market and forming the material base. Unfortunately, this approach is still very rare.