Understanding small business is tough because there are so many of them and they vary so widely. But all small businesses share certain problems, attitudes, and approaches to those problems. Let's give a hand to Symantec and Network Solutions for doing their part to discover the state of security and creating (and studying) the Small Business Success Index.

In its study Symantec focused on its sweet spot, security with an added dash of storage. Symantec surveyed over 1,400 small businesses worldwide, including 200 in each in the U.S. and 200 more in Canada. Of all companies surveyed, 44% employ between 10-100 workers, 28% employ 101-250, and 29% employ 251-500.

Overall, Symantec found small businesses know security is important. Budgets for security and storage are flat or rising for 91% of the responders. Exactly half say they plan to increase spending for IT. Yet despite this understanding, serious security and data protection gaps exist.

Small businesses report that their top three security concerns are viruses, spam, and data breaches. But how do I reconcile those findings with the fact those same respondents said they have no endpoint protection (59%), no desktop backup and recovery (47%), and no antispam solution (42%)?

Isn't that the definition of cognitive dissonance? How can you say security is a serious concern to you, yet have no endpoint protection? How can four in 10 companies function today without some type of antispam control? Do they just ignore e-mails because they can't find important messages in the never-ending flood of spam?

Some specific questions about data breaches really caught my attention. Symantec asked, “Why did the security breach happen?” and allowed multiple answers from survey takers. Top of the list, at 47%, was system breakdown / hardware failure. I wonder about the wording of the question or possible answers, because in my experience, hardware rarely causes those types of problems. Hackers don't attack hardware, they attack weak software security and poorly trained end users.

The second highest response about the data breaches also strikes me as curious. Forty four percent said the breach happened because of a lost or stolen laptop, smartphone, or PDA. Other surveys I've seen put this percentage at two thirds or higher. The Symantec survey pegs human error as the reason for 39% of the breaches, but nearly all poor security processes can be called human error if you look at the problem in the right way.