Nearly nine out of 10 small to midsize companies have inadequate or outdated disaster recovery plans. That figure, which isn't shocking if you've been around for a while, comes from a recently released survey of IT security professionals conducted by nCircle, a vendor of automated security and compliance products.
Like most small vendor-sponsored studies -- this one had 145 participants -- the results are more interesting than conclusive and can be taken in several ways.
According to the survey, which was conducted in November 2011 and released last week:
"The number of small businesses that have no written security or disaster recovery plan is a significant concern," said Elizabeth Ireland, vice president of marketing for nCircle, in a statement.
"It seems counterintuitive, but even though smaller businesses have fewer resources, they need to pay more attention to security rather than less," she said. "This is particularly true in today's escalating cyberthreat environment. Security needs to be more than a written document that you file and forget; it should be a crucial safeguard that's integrated into every aspect of your business."
You can view the full results of the nCircle Small Business Security Survey here.
When reading surveys such as this one, it's important to note the definition of "small business" and "midsize business." The nCircle survey does state how it defines those companies, but in general what constitutes an SMB or midsize company tends to be all over the map. I don't consider $15 million in revenue to be "small," but many surveys do.
The results seem to be saying one (or more) of several things:
OK, you can't survey a business that no longer exists, but if the numbers are really this bad (as I believe they are) and the risks are as great as security vendors and others with a reason to frighten people tell us, there's quite a disconnect. You'd think if hardly anyone is prepared and the risks are huge we would all know companies killed by IT disasters.
But, I don't. Do you? These numbers seem to predict disasters that I don't see, although many companies are putting out security "brush fires" almost every day. Please tell me what your experience is, as I am a bit perplexed.