nCircle Survey Sees SMB Security Dangers as Companies Unprepared

Nearly nine out of 10 small to midsize companies have inadequate or outdated disaster recovery plans. That figure, which isn't shocking if you've been around for a while, comes from a recently released survey of IT security professionals conducted by nCircle, a vendor of automated security and compliance products.

Like most small vendor-sponsored studies -- this one had 145 participants -- the results are more interesting than conclusive and can be taken in several ways.

According to the survey, which was conducted in November 2011 and released last week:

• 51 percent of respondents have a disaster recovery plan but aren't sure it's up to date
• 13 percent of respondents do not have a disaster recovery plan
• 36 percent of respondents rely on back-ups for disaster recovery
• 19 percent of respondents don't have a security policy and expect their employees to use good judgment
• 26 percent of respondents have a security policy but don't really enforce it

"The number of small businesses that have no written security or disaster recovery plan is a significant concern," said Elizabeth Ireland, vice president of marketing for nCircle, in a statement.

"It seems counterintuitive, but even though smaller businesses have fewer resources, they need to pay more attention to security rather than less," she said. "This is particularly true in today's escalating cyberthreat environment. Security needs to be more than a written document that you file and forget; it should be a crucial safeguard that's integrated into every aspect of your business."

You can view the full results of the nCircle Small Business Security Survey here.

When reading surveys such as this one, it's important to note the definition of "small business" and "midsize business." The nCircle survey does state how it defines those companies, but in general what constitutes an SMB or midsize company tends to be all over the map. I don't consider $15 million in revenue to be "small," but many surveys do.

The results seem to be saying one (or more) of several things:

• The respondents are not really full-time security professionals -- how many small and midsize business can afford one -- so their lack of accomplishment makes sense
• Small- and midsize businesses do not understand the dangers
• Or they do understand but discount them, perhaps because of a lack of resources
• What they are doing -- not doing, really -- has worked so far, so why change?
• Many of these "security professionals" are actually moonlighting baristas (OK, not really ...)
• The actual threat is pretty small, or some of these companies would be out of business already

OK, you can't survey a business that no longer exists, but if the numbers are really this bad (as I believe they are) and the risks are as great as security vendors and others with a reason to frighten people tell us, there's quite a disconnect. You'd think if hardly anyone is prepared and the risks are huge we would all know companies killed by IT disasters.

But, I don't. Do you? These numbers seem to predict disasters that I don't see, although many companies are putting out security "brush fires" almost every day. Please tell me what your experience is, as I am a bit perplexed.