Updated Friday, April 10, 2009 at 3:37 p.m. EST

Despite being aware of the importance of security, small-to-medium-size businesses (SMBs) generally are not protecting their networks, according to a survey released Thursday by Symantec.

The survey, which was conducted this February and compiled data from 1,425 respondents worldwide, found that SMBs are facing a “security gap” because they often lack basic security measures — 59 percent of respondents do not have endpoint protection, 47 percent lack desktop backup recovery and 42 percent are not running an anti-spam solution.

In addition, more than a third of SMBs, defined as having 10 to 500 employees, lack server backup recovery (38 percent) and anti-virus protection (33 percent).

“Too often people seem to think — small company equals small risks,” Rick Caccia, vice president of product marketing at security vendor ArcSight, told SCMagazineUS.com in an email. “[But] in fact, small companies manage credit card numbers, health information, social security numbers, and other sensitive pieces of data.”

Kevin Murray, senior director of security product marketing at Symantec told SCMagazineUS.com Friday that he thinks the most surprising survey finding is a third of companies do not have AV protection. 

“The key message is that SMBs are more at risk than they think.” Murray said. “For example, most of the computer industry assumes AV is on every system out there, this survey shows that’s not the case.”

Though many SMBs don’t have basic protections in place, survey respondents said they are concerned about the threats facing them. Viruses are the top concern for SMBs, with 79 percent of respondents saying they are “extremely” or “somewhat concerned” about this threat. Spam is the second biggest concern, followed by data breaches.

Symantec said that one of the factors driving this gap in security protections is the lack of an IT staff at many SMBs. Forty-two percent of respondents said they don’t have a dedicated IT professional on staff. Instead, company managers, business owners and other staff are in charge of their computer systems, according to the survey.

Caccia said he thinks this is one of the survey’s most important findings.

“SMBs, because of a lack of security staff, may not actually know what they should be doing to protect themselves from hackers, malware, and data theft,” Caccia said.

Caccia said that because of a lack of staffing resources, what is missing is the understanding of which security pieces to buy and deploy, how to do so, and where to tie them together to provide practical protection.

On the positive side, SMB IT security budgets seem to be growing — 50 percent of respondents said they plan to increase spending in the next 12 months, according to the survey. Currently, the median IT security budget for SMBs is $4,500.

Similarly, Forrester Research said in a January report that both SMBs and large enterprises expected to allocate more of their IT budgets to security spending this year, compared to 2008.

“They [the SMBs] recognize the need to secure their information, but what they are not doing is acting to do it properly,” Murray said.

Murray said that SMBs should become educated and stay informed about the latest threats. He also suggested working with a solution provider to find out where to spend IT security budgets to be protected.