thinksecurityfirst.us

Neal O'Farrell, founder of Think Security First!

I’ve been a small business owner for nearly thirty years, and got my first taste of the world of small business from our family business started in 1919.

My small business of choice happened to be information security, and for that last three decades I’ve seen some major changes. One change that I’ve long wished for but not yet seen is a willingness by small business owners and entrepreneurs to make security as big a priority as profit.

After three decades as a small business owner and a security professional, I think I’ve earned the right to speak honestly and openly about the state of small business security. And what a state.  Most experts like me seem to agree that America’s small business owners are not doing enough to protect themselves, their employees, and their customers from the threats of cybercrime and identity theft.

Furthermore, unprotected small business computers could pose a significant threat to national security if they become infected by bots and botnets.

According to a recent study by security firm Symantec, a third of the estimated 27 million U.S. small businesses don’t even have basic virus protection in place, and a 2009 study by CompTIA found that half of all small businesses don’t provide any security awareness training to their employees.

With so many unprotected computers in the hands of so many untrained employees, small businesses are an easy target for bots. The unique danger of botnets is that not only can they steal business and customer data from small businesses, they can use the same infected computers to attack other computers, web sites, and even the nation’s infrastructure.”

There are an estimated 27 million small businesses in the United States, accounting for 99% of all U.S. businesses and 60% of the workforce. That makes them an irresistible target for cybercriminals and especially botnets, according to Mr. O’Farrell.

Botnets have emerged as the number one threat worldwide, responsible for churning out spam, sharing and hiding pornography, stealing information and identities, and even attacking global networks. Research from McAfee Security estimates that 4.5 million computers are hijacked as part of botnets every month – or around 150,000 every single day - and the United States is the top destination for these botnets.

I recommend the following steps as a matter of urgency:

More funding. More funding is needed to help small businesses “go secure.” Because there are plenty of excellent security resources in place already, funding should be invested in awareness campaigns to persuade small business owners that (a) security is key to business and not an option or afterthought, (b) small businesses will face serious consequences if they don’t make security a priority and (c) an effective security program can be easily created and maintained using all the great and free resources already available.

More leadership and incentives. The organizations that reach small businesses on a daily basis, especially Chambers of Commerce, banks, credit unions, and ISPs , should be more vocal on the issue of small business security, and actively assist their business members and customers in improving security. Business owners and their employees should also be offered incentives and rewards to encourage them to devote more time to security.

More consequences. Small business owners who deliberately and repeatedly take unnecessary risks with their computers, data, and customer trust should face consequences for behavior that puts others at risk, whether that involves the introduction of new data security legislation focused on smaller businesses, or extending existing legislation like the Red Flag rules to all businesses.

I encourage you to read our recent alert about the growing danger of banking Trojans, and why financial institutions, law enforcement, security experts, and the media are all warning about the growing interest in small businesses by professional cyber gangs.