Inc magazine has an article that discusses a 2009 study about the cyber security policies of small businesses. The study was conducted by the National Cyber Security Alliance (NCSA) co-sponsored by Symantec

The article suggests that “when it comes to cyber security, the majority of the country’s small businesses are not adequately equipped for attacks”.

I disagree with the way some of the information is “highlighted” in this article. Please read the study report for the original survey findings.

Having a “formal security policy” is different from having “secure systems”. Small businesses are not usually sticklers for “formal policies”. But that does not mean they are ignorant. So the fact that only 28% have formal policies doesn’t mean much. Either they trust their outsourced IT provider’s policies, or they have secure in-house systems where are the policies are “not written down formally”.

Also look at question #22. Not many small businesses have workplace signage about IT security. That does not mean they don’t care about IT security.

However, the question which bothers me the most is #39. The fact that 6% of the respondents “don’t take any steps to protect customer or employee data”. I am really curious on finding out what the rationale behind that decision is for these businesses.

Finally, as full disclosure, be aware that this study was sponsored by Symantec who is in the business of selling security software.