Cisco's 2016 Annual Security Report suggests SMEs are falling behind in terms of IT security - and that can be a worry for enterprise customers.
According to the report, the use of web security systems by SMEs has fallen from 59 percent to 48 percent over the last year. And the use of patching and configuration tools (applying security patches is one of the first steps in keeping systems secure) dropped from 39 percent to 29 percent.
Similarly, the use of mobile security products dropped from 52 percent to 42 percent, and vulnerability scanning fell from 48 percent to 40 percent.
In fact, all of the security defences listed by Cisco were used by a smaller proportion of SMEs during 2015 than in 2014.
The reason large companies care about this sort of thing is that weaknesses in their suppliers' systems can be used to get into enterprise systems, and because small businesses may hold valuable data that other parties would like to see, such as design specs for components, or the volume to be supplied by the SME.
There seems to be a belief among SMEs that "it won't happen to me."
It must be said that the US idea of an SME is very much larger than ours, and some of the measures mentioned by Cisco - such as penetration testing - would be out of place in all but the most technically advanced and high value Australian small businesses.
But the obstacles to a better security posture do sound familiar: budget constraints, compatibility issues with legacy systems, and competing priorities.
So what should you do? Here are some of the usual recommendations, but you'll need to interpret them in the light of your particular circumstances.
Patch, patch, patch. Keep the operating system, applications and all other software up to date. If a vulnerability has been fixed, intruders can't use it against you. If you don't use a tool for keeping all your computers patched, at least work methodically so none get overlooked.
Reduce the attack surface. Uninstall software you don't need, including browser plug-ins, and disable any system services that aren't required. (You might want to consult your favourite IT support person about this.)
Install reputable security software, keep it up to date and keep it active. Such products are no longer just about recognising malware when it reaches a system, they can also help prevent users following links to 'known bad' sites (eg, those used by phishing attacks or to distribute malware), and monitor and block suspicious network activity. And they increasingly management features to help you look after multiple computers from one place.
Educate your staff. While security software can cover for some mistakes, it's better if people don't make them in the first place. So: Use strong passwords (adding a password manager to your systems will assist, and will discourage 'storing' them on sticky notes under the keyboard). Watch out for phishing attempts (emails that try to trick you into entering your username and password at a fake site), emails that purport to be from business partners but aren't (yes, it's unlikely a small business will be specifically targeted, but if you regularly receive deliveries via DHL someone could easily fall foul of a fake DHL delivery notice that installs malware if opened) and so on. Beware of email requests to send what could be sensitive information - check that the request is legitimate before complying. That list isn't comprehensive and none of those practices are totally foolproof, they will help. And to help you, Sophos offers some free training resources.
Feel free to use the comments to suggest additions to this list of SME security essentials.