Big risk-taking at small agencies

By Suzanne Kubota
Senior Internet Editor

When it comes to cybersecurity in institutions, size matters. According to a recent survey by Applied Research and Symantec human error and deliberate sabotage cause large amounts of data to be lost each year at small and mid-sized companies.

In terms of the federal government, “awkwardly enough,” says Jim Russell, vice president of the Public Sector for Symantec, “some of those smaller agencies are really lax on their security and privacy.”

Some of the simpler things that we take for granted in the security space, things like taking advantage of what’s involved or already installed within your operating systems – things that lock down your computer when it’s idle for a certain amount of time, locking down your laptops when you leave at night, and things like not leaving sticky-pads with your passwords on them, these are things that still exist within the small and mid-sized companies.


Cost doesn’t have to be a factor, says Russell. “There are some things that, from a budget standpoint, are very manageable.”

Russell says measures available to increase security can include:

  • staying informed – there are internet security threat reports that companies publish on a regular basis. And then there are things like
  • trusted solution providers that these independent agencies or these smaller agencies may be able to piggyback off of. And then the simple things like
  • anti-virus software, firewalls, and security patch updates are not that expensive these days. It’s more of a commodity from the stand point of what they’re able to invest in.
  • Piggyback off of existing comprehensive security policies that are in place.

“And then lastly, if all these things fail and they are vulnerable in the current state they’re in, make sure that they’re backing up all the software. Backing up in case there is a data breach or some type of catastrophic hard drive failure. These things are not taking place right now.”

Despite being a violation of federal policy. Russell explains that with policy and standards: “unless they have teeth in them, what’s the recourse if you violate any of the policies? And I think that’s the challenge here.”

On the Web:
Symantec – Small and Midsized Businesses Aware of Security Risks, But Not Doing All They Can to Protect Information (press release)

(Copyright 2009 by All Rights Reserved.)