McAfee released the results of a survey last week after sampling 500 IT decision-makers from companies with 1,000 to 2,000 employees.  The results are pretty astounding.  Forty-four percent think that cybercrime is only an issue for larger organizations and believe it does not affect them.  Fifty-two percent believe that because they are not well known, cybercriminals will not specifically target them.  Forty-five percent do not think that they are a valuable target for cybercriminals.  Lastly, forty-six percent do not think they can be a source of profit for cybercriminals. 

Take a moment to let that sink in.  Approximately half of these small and medium-sized companies are basically saying that security doesn’t matter to them because cybercriminals either won’t find them or they don’t think they have information of value to a cybercriminal.  Eighty-eight percent believe they were adequately protected against security threats even though forty-three percent admitted they accept the default settings on their IT equipment.  Even more amazing is that forty-two percent dedicate just one hour a week to proactive IT security management even though twenty-one percent acknowledged that an attack could put them out of business, thirty-two percent have been attacked more than four times by cybercriminals in the last three years, and twenty-six percent took at least a week to recover.

Now, think about how many times you’ve bought something online in the last year or so from a small or medium-sized company.  Scary, isn’t it?  Until these companies start treating security as a proactive discipline, things are going to get much worse before they get any better.