Small Businesses Confident They've Got Security Under Control

Small businesses were largely spared significant business impact or interruption from the recent MyDoom virus and don't seem to be elevating their focus on security in the coming year.

Those are among the key outcomes of the March Small Business Pipeline reader survey focused on IT security. The survey was completed by 227 companies with less than 100 employees.

Asked to rate the impact of MyDoom, more than 90% rated MyDoom said it had minimal or no impact on their companies. That breaks down as 44.5% saying MyDoom had impact although that impact was minimal, while another 46.3% said it had no impact at all.

Anecdotal evidence supports the findings of the survey.

Philadelphia-based GCR Services LLC, a management consultancy with less than 25 employees, isn't placing any greater emphasis on security today than it was before MyDoom, said Richard Wiedenbeck of GCR. "We have personal firewalls and antivirus software. Most of our people are fairly senior level and literate, so they understand what not to open. We've done a good job with education and software," he said. Specific to MyDoom, Wiedenbeck said it had "no impact."For the less than 8% of survey respondents that did report being impacted by MyDoom, the financial losses they incurred were relatively minor. About 59%, or 10, of those 17 companies that did report an impact said their financial loss was under $1,000. The remaining 7 respondents -- 41% -- said their loss was under $10,000, clearly not a catastrophic number but not pocket change, either, especially for a small business.

Of those reporting an impact from MyDoom, 47.1%, by far the highest percentage, said the virus caused interruption and/or discontinuation of electronic communications for their company.

Still, respondents to our survey indicated that their top security priority for 2004 is preventing problems that can be caused by worms and viruses so MyDoom and other high-profile viruses/worms seem to have at least heightened awareness of security. A full 42% of respondents said their top security priority is preventing problems caused by worms and viruses, while 24% selected "securing and protecting any data that relates to our customers as they transact business with us."

When they were asked to rate the importance of security relative to other IT investments and strategies in the coming year, the highest percentage of respondents -- 42% -- said it's about equally important as other IT categories including networking, productivity software and PCs and servers. The remaining respondents broke down as follows:

Still, the impact of viruses seems to be driving a fair amount of security decisions. Asked to prioritize planned security purchases this year, 36.5% of respondents said antivirus software is most important. The other responses break down in this fashion:

Mike Essary, vice president of pharmaceutical distributor Letco Inc., Decatur, Alabama, is apparently representative of these security purchasing priorities. Essary says the spread of worms like MyDoom has made security a greater concern in his company in recent months, even though the diligence of his company's IT person thwarted MyDoom in his company. "We have good protection devices in place and our IT person stays on top of patches," he said. "We're not going to spend more money, but we will take more time to monitor and make sure we don't have any problems."

In the Small Business Pipeline survey, 46.4% of respondents said they'll spend less than $1,000 on security products this year, while another 41.1% said they'll spend between $1,000 and $9,999. Just 12.5% plan to spend more than $10,000 on security wares.