Study: SMBs Overconfident in Their Information Technology Security

SAN DIEGO, Aug. 27 /PRNewswire-FirstCall/ -- According to independent research released today by Websense, Inc. (NASDAQ: WBSN) , small and medium sized businesses (SMBs) fail to take adequate steps to reduce the risk of data loss from Web-based security threats. The SMB State of Security (SOS) survey of 450 IT managers and employees within the United States shows that while 46 percent of SMB IT managers say they have software to protect company confidential data, 81 percent do not use software to block the use of peer-to-peer applications, block USB devices (80 percent), control the use of instant messaging (76 percent), or stop spyware from sending out information to external sources (47 percent) -- all growing vectors of confidential data loss.

Despite the risk of data loss, 20 percent of SMBs do not use Internet security software other than firewall and anti-virus products, as they mistakenly feel these are sufficient. Additionally, 12 percent of IT managers admit, while they have an Internet usage policy, they have no way of enforcing it.

The study also found that business-owned computers are left vulnerable to security threats for more than 21 days, on average, despite the daily updates promoted and offered by operating system and anti-virus vendors. In fact, only 4 percent of SMB employees have daily security updates on their work PC, while 11 percent of employees say the security software on their work PC has never been updated.

On the bright side, 94 percent of SMBs claim to have an Internet use policy in place, and 67 percent say that all companies should have equal levels of protection from Internet security threats, irrespective of their size.

    2007 SMB State of Security Key Findings:

    -- PREVENTING DATA LOSS: While 46 percent of IT managers say they have
       software to protect company confidential data, 81 percent of SMBs do
       not use software to block the use of peer-to-peer applications, block
       USB devices (80 percent), control the use of instant messaging (76
       percent), or stop spyware from sending out information to external
       sources (47 percent).

    -- RISKY BEHAVIOR: IT security managers say the top risks to their
       business include employees clicking on email links from unknown sources
       (74 percent), employees sending company email to the wrong address (53
       percent), and employees accidentally or deliberately accessing adult
       Web sites (50 percent).  Alarmingly, 73 percent of SMB employees admit
       to at least one of these high-risk activities with their work-owned
       computer, 54 percent admit more than one, while 27 percent admit three
       or more.

    -- FALSE SENSE OF SECURITY: 99 percent of SMB IT managers feel their
       company is protected to some degree from exposure to Internet security
       threats.  But only 22 percent say they feel 100 percent protected --
       meaning 78 percent do not.  Additionally, 20 percent of SMBs do not use
       Internet security software other than firewall and anti-virus products,
       as they mistakenly feel these are sufficient.

    -- WINDOW OF EXPOSURE: The average length of time that employees have
       continued to use their work PCs before security is updated is 21.2
       days.  Only 4 percent of employees have daily security updates on their
       work PC, while 11 percent have never updated security on their work PC.
       On a daily basis, Websense discovers Web sites that contain malicious
       code -- numbering in the hundreds of thousands -- that threaten
       vulnerable computers.

    -- PROTECTION OVERCONFIDENCE:  Confidence levels in IT security are high
       among SMB employees, with 41 percent confident that their IT department
       protects them from every Internet security threat.  However, 45 percent
       say they have some level of protection but admit they are not sure what
       is protected.  Another 12 percent of employees say they do not know if
       their work PC is protected.

"The Web continues to grow as the attack vector of choice for hackers, and SMBs need to realize that anti-virus and firewalls alone aren't built for emerging Web-based threats," said Steve Kelley, senior director of Product Management, Websense Inc. "For example, in February, Websense discovered an information-stealing keylogger on the Dolphin Stadium Web site just days before the Super Bowl was played there. Anti-virus vendors didn't update their products until after the Super Bowl. To prevent data loss and protect against Web-based threats, SMBs need to reassess their security posture and take steps to stay ahead of hackers."

To download a free copy of the survey, visit http://www.websense.com/smbsos.

Survey Methodology

This report was commissioned by Websense, Inc and was carried out by independent market research firm, Dynamic Markets Limited. It details quantitative research with IT managers with responsibility for IT security and users at middle manager level in mid-sized companies in the United States. A total of 450 interviews were collected from companies with 100-1000 employees, with the sample split evenly between IT managers and general employees. The sample contains a wide variety of industry sectors.

A sub-sample of 225 interviews was collected with general employees at middle manager level. All respondents confirmed prior to interview that they were at middle manager level in a function other than IT and that their company has between 100 and 1000 employees worldwide. They also confirmed that they had access to the Internet at work. Similarly, 225 interviews were collected with IT security managers. All of them confirmed prior to interview that they were an IT professional with responsibility for IT security and that their company has between 100 and 1000 employees worldwide.

About Dynamic Markets Limited

Dynamic Markets is an independent market research consultancy that has been carrying out global research for blue chip clients like Microsoft, Oracle, Cisco, Vodafone, Egg, M&S and many others for the past 8 years. It operates to a strict code of conduct, as defined by the Market Research Society (MRS).

About Websense, Inc.

Websense, Inc. (NASDAQ: WBSN) , protects more than 25 million employees from external and internal computer security threats. Using a combination of preemptive ThreatSeeker(TM) malicious content identification and categorization technology and information leak prevention technology, Websense helps make computing safe and productive. Distributed through its global network of channel partners, Websense software helps organizations block malicious code, prevent the loss of confidential information and manage Internet and wireless access. For more information, visit http://www.websense.com.

Websense and Websense Enterprise are registered trademarks of Websense, Inc. in the United States and certain international markets. Websense has numerous other unregistered trademarks in the United States and internationally. All other trademarks are the property of their respective owners.

    MEDIA CONTACT:
    Cas Purdy
    Websense, Inc.
    (858) 320 9493
    cpurdy@websense.com