You hear it all the time from our political and economic leaders - small business is the engine of the U.S. economy. Of the nation's 26.8 million businesses, some 99.9 percent of them have fewer than 500 employees, according to the U.S. Census Bureau.
In addition to driving the economy, small business is the source of a big share of the nation's innovation. For example, 98 percent of telecommunications patents and 97 percent of software patents are issued to companies of 500 or fewer companies, according to a U.S. Small Business Administration study.
Unfortunately, these small businesses tend to pay little attention to security issues - often because they lack the resources. The innovation typical of small businesses could be a target of foreigners or others seeking to steal trade secrets, yet these companies are among the least likely to take measures to protect themselves. The lack of security among small businesses even puts big businesses at risk, especially large companies that interact with hundreds of smaller companies as critical elements in their supply chains.
There are several reasons why small businesses remain soft targets in a time when security efforts at larger companies are greater than ever. The sheer number of small businesses suggests a need for security solutions that are scalable and easily replicated, however, such solutions are mostly lacking. Some approaches to the problem have shown promise, but the nation's small businesses still remain largely vulnerable because few solutions have proven scalable.
Why Small Business Is At Risk
It is easy to point to reasons why small businesses lack sufficient security. Here are a few:
- Lack of resources. Small businesses are often small because they are still looking for the keys to success; that is, to becoming large businesses. By definition, a small business has fewer resources, and discretionary expenditures often come out of the owner's pocket.
- Lack of security awareness. Small businesses are often content to ignore issues of security or business continuity. Even standards and regulations are less likely to be enforced among small businesses. The result is that security becomes an optional expense.
- No security "champion." In small business, everyone wears many hats, and the security hat may be one that is never assigned. If the CEO is also the chief marketing officer or in charge of Human Resources, he is unlikely to have the time or inclination to take on additional duties. The result is that there is no champion of the security cause - and security evolves in a reactive, rather than proactive, manner.
- Suppliers target larger customers. One industry supplier concedes that 99 percent of its business comes from Fortune 500 companies. From a completely capitalistic perspective, it makes sense that a supplier would pursue the business that is the most lucrative and profitable. Dealing with a handful of top companies involves less work than pursuing millions of onesy-twosy applications.
- A higher threshold of security sensitivity. A small business's security sensitivity does not typically extend to threats or vulnerabilities, but instead tends to center on specific events, usually after they have occurred.
Who Should Be Helping Small Business?
The Federal Government has targeted some resources to small businesses, such as the Ready.gov and FEMA Web sites, but it is questionable to what extent businesses are aware of and taking advantage of the resources.
Security-focused committees of industry organizations - such as those serving the food or chemical industries - and even organizations that purport to serve small business, such as the Chamber of Commerce and the National Federation of Independent Business, tend to have more involvement by representatives of larger companies, thus tending to skew their missions toward big-company concerns.