Small to medium-sized businesses (SMBs) are still failing to take even basic data protection measures, despite government education initiatives, according to Sophos head of security research James Lyne (pictured left).
Lyne said government and security vendors still have vast amounts of work to do to educate SMBs about cyber security best practice, during an interview with V3.
"We've made a lot of progress, but there's still a horrifying amount of work to do [with] educating SMEs about security," he said. "Many SMBs are still behaving like consumers when it comes to securing their data and this won't do."
Lyne warned SMBs against using consumer-focused services to store their data. "When I talk to most SMBs they're still using consumer services like Dropbox, which they really shouldn't," he said.
"We're seeing an alarmingly large number of small businesses use Dropbox, or some equivalent consumer service for work storage. They're just dropping it all in the folder and thinking they're done. Putting aside the number of times services like these have been hacked, this is bad as they're putting it in a cloud that's not hosted in the UK that they don't control."
Lyne said the approach to storage is leaving most SMBs' data open to theft. "If you look at most SMBs' networks their security is like a Rolo chocolate. It's hard on the outside but very soft on the inside. They're focused purely on anti-malware," he said.
"This means that once a hacker gets in, they can get everything. Even the hard part of their security Rolo isn't that hard and is fairly easy to get into. Considering what we know about hackers, this means most small businesses are literally handing over their crown jewels."
The Sophos experts said the companies' poor storage practices are particularly bad as they are also leaving them one step away from fines by regulatory bodies, such as the Information Commissioner's Office (ICO).
Lyne said further regulation will not fix the problem. He argued instead that the government and security vendors must continue to work together to educate people about cyber best practice. "It's about having a proper data management plan in place and getting people doing basic things like encryption and properly backing up," he said.
"With a good data plan in place, threats like the Cryptolocker ransomware, would go from being catastrophic to being a serious nuisance. Proper data management could really put a dent in criminal operations like Cryptolocker."
Cyptolocker is a prevalent type of ransomware, which locks users out of their computers, displaying an image demanding the victim to pay a ransom to regain access to their data.
Lyne added that to truly protect SMBs, service and manufacturing industries will have to adapt their creation processes to include security as a key factor from the start.
"This is costing the UK a lot of money and we need to rethink how we do things," he said. "We need to start making sure all services, including consumer ones, come with security out of the box."
The Sophos chief is one of many technology experts to call for hardware manufacturers to design their products to feature integrated security. Intel president Renee James argued that tech companies should make security free and available for all at the McAfee 2013 Focus event in Las Vegas in October.
Apple, Samsung, Google and others rush to go ever-higher upmarket is putting off potential customers
Laser tech can charge mobile phones from across a room
AMD's Zen chip roll-out continues with the focus on high-power embedded applications
And becomes the team's executive chairman to boot