[ISN] Small Biz Puts Protection Before Continuity In Survey

InfoSec News isn at c4i.org
Fri May 7 09:51:04 EDT 2004 

http://nwc.serverpipeline.com/showArticle.jhtml?articleID=19502258

By Tom Smith
Small Business Pipeline  
May 05, 2004 

Despite a recent history that includes terrorist attacks on American 
soil, the resulting war against terror, and a flurry of virus 
activity, most small businesses aren't concerned enough to develop 
specific plans to keep their businesses up and running in the event of 
a disaster. However, they do recognize the need to protect their data 
and computer systems from natural disaster and hacker attacks. 
A survey of 237 small business conducted by Small Business Pipeline in 
April found that 73% have no written plan that defines a strategy for 
responding to disaster. Of the 27% that do have such a plan, about 80% 
actually review the plan on an annual basis with their employees. 

Six of 10 have done no formal quantification of how much it would cost 
their business if it was interrupted for any extended period of time. 
Of that small percentage that have performed this financial analysis, 
56% say they'd lose less than $10,000 per day. That result is perhaps 
not too surprising, given that more than half of the survey 
respondents have less than 10 employees. Another 27% have less than 50 
employees and 16% have less than 100. 

In a somewhat contradictory finding, the highest number of 
respondents, 35%, ranked disaster recovery as about equally important 
as other business functions such as customer service, technology 
operations, finance and accounting, and so on. A full 34% said 
disaster recovery is more important while 31% said it's less 
important. Despite these findings, there's no apparent sense or 
urgency to plan for disaster. 

There was some good news: 56% of survey respondents do have a defined 
sequence of steps to be followed if their physical location becomes 
unavailable. 

Z Technology, a manufacturer of test and measurement equipment for the 
radio and television broadcast industry, appears to be fairly typical 
of the survey respondents. The 10-person company has no formal 
disaster-recovery plan, operations manager Dan Nicholas said. "I don't 
think it's ever been thought about a whole lot," Nicholas added. "It's 
not a conscious decision to not have one." 

However, the survey found a strong, clear emphasis on data and systems 
protection among small businesses. Those businesses are acutely aware 
of the threat posed by viruses, hackers and system incursions. Of the 
237 survey respondents, 88 or 37% say technology-driven threats 
"viruses, hackers, security breaches" pose the greatest danger that 
could interrupt the functioning of their business. 

Other threats identified as the biggest concerns included disasters 
such as fires or explosions, selected by 27% of respondents; natural 
disasters such as weather and earthquakes, 26%; theft or loss of 
intellectual property, 7%; and other areas such as terrorism and a 
national emergency, 3% 

FMSI Actuarial Concepts and Systems Inc. is indicative of the focus on 
protecting data and systems among small business. The Deerfield, Ill., 
company's three employees hold themselves accountable for backing up 
data from their workstations on a regular basis. Data gets backed up 
to two separate Web-based systems maintained by different outsourcing 
firms for an additional layer of protection. "If one is down, the 
other is not down at the same time," explains Gerry Kopelman, a 
partner. 

While these backup procedures aren't explicitly defined, they are a 
part of the company's way of doing business. "There are no formal 
policies. It's just become our habit to do that. It's common sense," 
Kopelman says. 

Like FMSI, respondents to the Small Business Pipeline survey appear 
well-prepared to deal with threats that could impact their corporate 
data. Three quarters of respondents say they have a specific medium or 
plan for protecting data in the event of a business or technology 
interruption. In a related finding, 62% of respondents say they have 
defined policies to secure the data on individual employees' 
computers. 

Asked to identify their primary means of protecting data, 43% said 
they back up data to an off-site facility they own or manage; 28% said 
they back up data to servers or systems in the same office as primary 
systems; 20% said they back up data to a third-party facility, and 9% 
use another means. 

Asked to rank technologies that are most important in preventing 
business interruptions, the most respondents 40%, selected network 
security products such as firewalls. Another 34% selected data backup 
and management.

More information about the ISN mailing list