Information security breaches seem to have become news of the week, so we at NeweggBusiness decided to conduct a hack preparedness survey through our website. We found some surprising and unexpected differences in information security practices between smaller and larger businesses.
From late December, 2015, through the end of February, 2016, NeweggBusiness ran a survey that asked 12 questions on a variety of security practices. When the survey was completed, we started running a variety of reports and comparisons on the data. One interesting set of comparisons was the security practices of small businesses with less than 20 employees versus larger businesses of 200 or more. The following reviews some of those results.
Since biometric authentication is still not widely available, passwords remain the best keys users have to networks, systems, services, apps, and websites. Our questions on passwords held a few surprises though.
In smaller organizations, we might expect that shared accounts and administrator passwords were more common. Astonishingly, it was the other way around. Nearly 43% of larger businesses reported having shared administrator credentials or accounts. Smaller businesses came in at about half that—just under 23% share these account credentials. Surely we don’t need to explain the risk this presents.
In addition, 63% of larger businesses required password changes every three months or less. Whereas, only 29% of smaller businesses required password changes in less than 60 days as well. We expected that small businesses would be more lax on this, but not to the tune of half as frequently.
Interestingly, there is research from people like Cormac Hurley of Microsoft Research that many IT managers are starting to buy into which indicates forcing frequent password changes is not worth it and could introduce more risk. For example, some say that forcing frequent password changes can result in users selecting easier to remember passwords as they run out of ideas or doubt their ability to recall a complex one. Worse yet, they may revert to keeping the password in a place that turns out to be insecure.
Since reviewing system and network logs is considered a fundamental practice to aid in issue management and breach discovery, we included a question asking how frequently logs were inspected. We were not surprised by the results, which should serve as a wake-up call to smaller businesses.
Only about 22% of the small-business respondents reported reviewing logs on a weekly basis, but their larger business counterparts examine logs more than twice as frequently, at 47%.
No doubt they will cite lack of resources as a central reason for their failure to get around to reviewing logs. Even so, small businesses indicated they were just as likely to discover a breach (28%) as larger businesses (29%), even though they review logs half as often.
Initially, it was surprising to see that more of the smaller businesses reported running software patches as soon as they came out. Nearly 48% of the smaller businesses indicated running patches this frequently as compared to only about 32% of larger businesses doing so.
Do larger businesses find it more difficult to run the patches due to the larger number of systems? Is it a matter of scheduling issues so as to reduce impact on systems and users where considerations are more likely at an enterprise level? These and some other questions may well come up in our future surveys.
Threat and Risk Assessments
Backed by the old adage, “you don’t know what you don’t know,” threat and risk assessment, which goes by various names with diverse scopes, are designed to help an organization identify events that may cause loss or damage to assets and a quantitative assessment of the probability of such events. They are best executed by third parties who know how to run them and what vulnerabilities should be tested.
From an IT perspective, these primarily have to do with network breaches and data assets—though the scope can be expanded to anything the IT department is responsible for.
About 7% of respondents from both larger and smaller organizations indicated they did not know what a threat and risk assessment is. Fair enough. Some people among those who responded to the survey may not have a job title that would be expected to know what these are.
Unfortunately, another 36% of those from smaller businesses reported never having run one. Some consider this akin to not having checked if the door was locked when you walk out of the building at night. We might expect this from smaller businesses however, since such assessments have a cost that might seem beyond their resources.
However, over 15% of respondents from larger businesses also reported not having run such an assessment. This indicates they may not even know where the holes are in their fences—and they may have a lot of assets at risk.
It is reassuring that at least 50% of smaller organizations and 66% of larger organizations have had one of these assessments in the last two years. Since software and hacking techniques are constantly changing, conducting regular threat and risk assessments has become essential to protecting business assets.
Security Attacks Reported
Another interesting difference seen in the survey results were not in the information security practices, but in the reported security attacks. More than 70% of the larger organizations reported some form of security attack, while about 53% of smaller ones indicated likewise. Does the size of a business put a larger target on its back, resulting in more attacks despite some apparent better security practices revealed in this survey? Perhaps.
Larger businesses may have the resources to recover from a hack that compromises critical data. Smaller businesses however could have more to loose from a hack event due to having fewer resources to deal with the outcome—the right type of event could wipe them out. Still, since more than half of small businesses experienced attacks, it behooves IT management to step up the IT security practices since they may be at greater risk of being shut down.
As an example, 31% of the smaller businesses responding to the survey reported having experienced network or systems outages from a hack. Can your business afford the risk of light-handed information security tools and practices and a 31% exposure to systems outage? The weekly news reports indicate, “no,” but your alignment with some of the organizations who responded to this survey may indicate otherwise.