Small and medium-sized New Zealand companies are more susceptible to IT security breaches, including loss of confidential data, than similar organisations overseas, according to a global survey.
Security company Symantec polled more than 1400 small and mid-sized businesses (SMBs) in 17 countries, including 100 in New Zealand and Australia.
Its findings show 58 per cent of New Zealand and Australian SMBs have been victims of IT security breaches involving data being lost, stolen or accessed without authorisation.
Globally, only 41 per cent of SMBs had fallen prey to these types of breaches.
Steve Martin, Symantec's SMB director for the Pacific region, said the high instances of security breaches in Australasia was particularly marked when compared with statistics from North America.
The survey found only 29 per cent of SMBs in the US, and 27 per cent in Canada, had been caught out.
Martin said tighter laws relating to reporting lost data were one of the main reasons American firms had better security.
"Those laws don't exist in this part of the world," Martin said.
"We're not yet regulated here to the same extent that they are in the US. That has a large impact as to why US businesses have a much lower data-loss ratio than we do out here."
Local businesses appreciated the need for IT security, but often did not take adequate steps to implement required security measures, he said.
Symantec asked firms taking part in its survey to rate tier security efforts on a scale of A (excellent) to F (poor). Half the New Zealand and Australian SMBs gave themselves an A rating, but two-thirds should be, or needed to be, rated A.
"Businesses generally recognise they could do a bit more to provide a higher level of security," Martin said.
The survey found 43 per cent of Australasian SMBs had not implemented "endpoint" IT security - software that protects "endpoint" devices such as laptops, desktops and servers against malware. It also found 43 per cent did not have an anti-spam solution.
Almost half (45 per cent) said they did not back up their desktop PCs, leaving important information at risk, while 39 per cent did not have anti-virus protection.
This lack of action over security contrasts with businesses' acknowledgement that IT protection is important:
76 per cent said protecting email, information, networks, servers and desktops was either somewhat or extremely important.
68 per cent said viruses were a top security worry.
More than 60 per cent were somewhat or extremely concerned about phishing scams, spam, data breaches and the loss of confidential information via email or USB devices.
Why do businesses appreciate the need to implement security measures and yet fail to act?
The leading barrier cited by SMBs was lack of employee skills (40 per cent), lack of time (38 per cent) and budget restrictions (37 per cent).
SMBs also told Symantec a lack of awareness of current threats (31 per cent) was another factor.
"While SMBs clearly appreciate the importance of security, they face many barriers when strengthening their IT security infrastructure," Martin said.
"For many companies, the issue of strengthening their IT security infrastructure is compounded not only by the challenges of staffing, budget and time, but also by trying to keep up with the growing amount of information that now resides on mobile devices such as laptops, PDAs [personal digital assistants] and smartphones as well as external storage devices such as USB keys."
The study shows that when SMBs do suffer IT data loss, it is likely to be in an area where basic protection and preventive measures would have alleviated the issue.
For the 58 per cent of SMBs who had suffered a security breach, the leading causes of loss reported was a system breakdown or hardware failure (69 per cent), followed by natural or onsite disasters (49 per cent), human error (47 per cent), lost or stolen mobile devices (45 per cent), deliberate sabotage by employees (39 per cent), out-of-date security solutions (38 per cent) and improper security policies (37 per cent).
Two-thirds of businesses said they either password-protected their desktops and laptops (66 per cent), implemented comprehensive security solutions (66 per cent) and/or prohibited the transfer of data to USB devices (64 per cent) to prevent the occurrence of another security breach.
Martin said given the resourcing issues SMBs faced, the most effective way for them to beef up IT security was to work with specialist firms who provided consulting services and ensure they gave those consultants a good overview of their security requirements.
A survey of New Zealand government departments, undertaken by the Privacy Commissioner and released this month, found many departments were risking accidental disclosure of sensitive personal information because of poor control of staff use of portable storage devices (PSDs) such as USB sticks.
Privacy Commissioner Marie Shroff said although the survey found that 75 per cent of the government agencies reported they had policies to restrict or control the use of PSDs, they were not yet confident those policies were of a good standard or were well known by staff.
"It is particularly concerning that some of the agencies with poorer practices are flagship departments that hold the personal details of thousands of ordinary New Zealanders," Shroff said.
"Private sector businesses were not included in this survey, but there are clear messages from this that apply across the board.
"We have seen the overseas incidents of how easily PSDs containing large amounts of sensitive information are lost or mislaid. We want to avoid similar events affecting New Zealanders.
"We want to get it right before we get it wrong."
DATA IN DANGER
Overseas examples of personal information being lost by businesses and government organisations:
* 100 USB sticks, some containing secret information, have been lost or stolen from the UK Ministry of Defence since 2004.
* In December 2008, a USB stick containing details of over 6000 prisoners was lost by a health agency at a UK prison.
* of almost 900 customers, including accounts, phone numbers and addresses, copied on a USB stick was lost by a Bank of Ireland employee in November 2008. The information was not encrypted.
* A UK survey, carried out by a data security firm, found an estimated 9000 USB sticks have been left in people's pockets when they take their clothes to the dry cleaners.
Source: Privacy Commissioner
NZ lagging in sensitive data security
Businesses often know they are exposed, but fail to act. Photo / Kenny Rodger
AdvertisementAdvertise with NZME.
