A degree of scepticism is usually healthy when considering the results of surveys, especially those sponsored by bodies with a commercial or political axe to grind. But that doesn't mean there's nothing to be learned from them.

So before we get into the results of a survey of the Internet security and storage habits of small to medium businesses in Australia and New Zealand, let's establish that it was commissioned by Symantec (which sells security and data protection products), it was conducted over the web (raising self-selection issues, for example), and there were only 301 Australian respondents. The following discussion refers to the Australian results.

The basics seem to be in place: at least three-quarters have an Internet security policy, update their security software at least weekly, and use spam filters. 90 percent backup at least weekly, but only a less impressive 50 percent manage a daily backup. Given that 40 percent say they recover files from backups at least once a month, a daily backup of all business data should be considered a minimum requirement. You can't help wondering what the figure would be for companies that would like to be able to recover files but can't.

Despite their precautions, 51 percent said they have been affected by an Internet security threat (eg a virus) and 26 percent have been affected by phishing. This suggests that security software isn't being updated sufficiently frequently and that spam filters aren't doing enough to block malicious messages. I'm also inclined to wonder if there's sufficient staff awareness of phishing.

Part of the problem is that small businesses are, well, small. 44 percent of respondents said their IT budget was $50,000 or less. The overall average spend of $130,000 was severely skewed by the five percent with budgets in excess of half a million dollars. And 61 percent said their IT responsibility was in addition to their primary job as managing director, practice manager, finance manager, sales manager, etc. Lacking specialist IT staff, the smaller companies tend to rely on external consultants. Even though businesses with more than 50 employees tend to have at least one IT specialist on staff, the role requires broader expertise than can be reasonably expected from one person and so they mainly look to value-added resellers for implementation and support assistance.

Although the biggest hindrance to implementing or improving backup was said to be budgetary, there's probably room for improvement in terms of frequency without increasing direct expenditure on IT. Since 80 percent of businesses said they send or receive purchase orders electronically, this should be considered a high priority. More frequent updates to security software would probably help with some of the other problems, and again this shouldn't involve additional expenditure, just improved practices.

In terms used in old-fashioned school reports, the verdict would probably be something along the lines of "7/10, must try harder."