Most SMBs have no Information Security Policies

87% of Business in 2012 survey have no Acceptable Use Policies

Phishing attacks are now among the top security risks for organizations. Yet, according to a recent survey of small and medium-sized businesses (SMB), a full Eighty-seven (87%) percent do not have a formal written Internet security policy for employees. These findings are from a new survey of over 1000 businesses by the National Cyber Security Alliance (NCSA) and Symantec.

The study indicates that overall, small and medium-sized businesses are dramatically underestimating the risks to their business.  Because of this, cyber-criminals are increasing setting their sites on small business.  The survey was releases as part of National Cybersecurity Awareness Month to help educate small business on these growing risks.

Among other highlights from the 2012 Survey:

  • A Majority of SMBs Believe Security Is Critical to Their Success and Brand: Seventy-three percent of SMBs say a safe and trusted Internet is critical to their success, and 77 percent say a strong cybersecurity and online safety posture is good for their company’s brand.
  • SMBs Unprepared to Handle Data Breach Losses: Nearly six out of 10 (59 percent) SMBs do not have a contingency plan outlining procedures for responding and reporting data breach losses.
  • Most SMB have no formal policies: Eighty-seven percent of SMBs do not have a formal written Internet security policy for employees while 69 percent do not have even an informal Internet security policy for employees.  At the same time, 10 percent say they have a formal written Internet security policy while 28 percent say they have an informal Internet security policy for employees to follow.
  •  Social Media Users Vulnerable : Seventy-five percent of SMBs do not have policies for employee social media use on the job while 23 percent have established policies. (Note: This number seems high since only 10% report having any formal policies at all.)
  • Customer Privacy Lacking:  Despite the growing number of public data breaches, sixty percent of SMBs say they do not have a privacy policy that employees must comply with when they handle customer or employee information while 38 percent say they do have a privacy policy.

Easy Information Security Policies

In our experience, part of the problem is that information security is perceived to be to difficult.  So it is seems easier to do nothing at all.  Most organizations are not aware that quality information security policies can be purchased and customized for a very reasonable price.   Information Security Policies Made Easy has over 30 sample documents that can be customized in minutes.  The sample information security policies include internet acceptable use, email acceptable use, social networking security, customer privacy, network security, incident response and many others.  Other free resources are also available, including the SANS Security Policy Project.