Like all enterprises, small businesses have to handle customer data including PII (personally identifiable information) as well. But they rarely have the resources to effectively safeguard that data against the surrounding cyber threats. This makes them an easy target for unrelenting bad actors ranging from script kiddies to state-sponsored actors. Even amateur cyber criminals know that they are much likely to find a naïve user that will succumb to the phishing email or an employee with default or obvious password in a small business where cybersecurity and employee awareness training are often pushed aside in the hopes that bad actors will be too busy in big-game hunting.
Many small businesses are also negligent about network security, leaving equipment with initial default passwords and not implementing WPA2/WPA3 protection. And finally, small businesses commonly fail to enforce cybersecurity best practices like using strong passwords, changing them frequently, patch management, the principle of least privilege, and revoking access when no longer needed.
Threats Surrounding Small Businesses
Social engineering, mostly involving phishing scams, is one of the biggest threats facing small businesses. Attackers trick naive users into divulging confidential or sensitive information, or into clicking on a malicious file or link that contains some sort of malware. Ransomware and double extortion attacks are also becoming a major concern for security stakeholders working with small businesses. And sometimes it’s not advanced threats that cause an incident, but something as trivial as an employee leaving a sticky note with his credentials on a desk, which can be enough to expose the entire system to an array of threats.
2020, highlighted by the Covid-19 crisis, was marked by cyber-attacks leveraging vulnerabilities in the hastily set up work-from-home deployments. Small companies were at the greatest risk of closure following global lockdowns. Needless to say, in the pursuit of continuity, security often took the backseat. The lines between personal and business devices blurred and many small businesses allowed employees to access their internal resources via their personal devices. This large-scale, poorly planned work-from-home experiment also resulted in a security disaster for smaller companies with limited or no IT staff and resources.
Cyber Security Statistics for Small Business Owners
Keeping up with the latest cyber-attack statistics is pertinent for understanding the state of cyber threats, commonly leveraged vulnerabilities, implications of successful cyber attacks, and effective strategies for mitigating prevalent threats. So, here are 10 important cybersecurity statistics to open your eyes towards the insufficiency of preventative and combative measures in smaller companies despite the inevitability of modern cyber attacks:
- 43% of all data breaches involve small and medium-sized businesses.
- If you’re still in denial about the chances of your small business becoming a victim, 61% of all SMBs have reported at least one cyber attack during the previous year.
- A benchmark study by CISCO found that 40% of the small businesses that faced a severe cyber attack experienced at least eight hours of downtime. And this downtime accounts for a major portion of the overall cost of a security breach.
- The above-mentioned CISCO study also found that ransomware was not among the top three cyber threats identified by small businesses. Business owners may be underestimating the threat of ransomware, however, MSPs are not. 85% of MSPs consider ransomware one of the biggest threats to their SMB clients.
- 30% of small businesses consider phishing attacks to be the biggest cyber threat.
- 83% of small and medium-sized businesses are not financially prepared to recover from a cyber attack.
- Despite the staggering numbers, 91% of small businesses haven’t purchased cyber liability insurance. This truly reflects how unaware and unprepared small business owners are to deal with security breaches.
- Only 14% of small businesses consider their cyber attack and risk mitigation ability as highly effective.
- 43% SMBs do not have any cybersecurity plan in place.
- One in five small companies does not use endpoint security, and 52% SMBs do not have any IT security experts in-house.
Moving Forward: What Needs to be Done
These statistics reveal the grim situation of cybersecurity for most small businesses. It’s true that sophisticated cybersecurity tools, techniques, and expertise don’t come cheap, but the cost of a successful cyber attack is also enough to put a small company out of business. At first glance, it may seem like you are damned if you do, damned if you don’t.
For small businesses, the only way out is to try to save costs where possible. For instance, hire an MSSP or an MSP with security offerings if you cannot afford in-house security professionals. Many small steps can take you a long way. So, focus on the absolute essentials for surviving in a multifarious threat environment. Even basic cybersecurity best practices can drastically mitigate the risks.
From social engineering to ransomware to zero-day threats, here are a few tips that can improve your cybersecurity posture without breaking the bank:
- Mostly those fall prey to social engineering tactics that do not have much cybersecurity awareness. Educate your employees about the common social engineering ploys, conduct phishing assessments, and keep reinforcing the basic cybersecurity concepts.
- Keep your OSes, applications, and security software like antivirus and firewalls up-to-date and fully patched.
- Enforce password policies and use multi-factor authentication.
- Invest in a VPN for encrypted data transfers and secure remote access to internal resources.
- DHS offers several free cybersecurity assessments and scanning for small businesses to detect known vulnerabilities and misconfigurations. Leverage such offerings.
- Purchase cyber liability insurance.
- Always have an offline backup of your data in anticipation of ransomware or other malware attacks.
- Finally, know that despite doing everything right, security incidents will inevitably occur. Your best bet is to be prepared for such an occurrence with a robust incident response plan. And an IR plan is not a one-and-done endeavor. You must periodically test and update your IR plan to stay ahead of the evolving threats.
Ashley has been writing about the impact of technology and IT security on businesses since starting Parachute in 2005. Her goal has always been to provide factual information and an experienced viewpoint so that business leaders are empowered to make the right IT decisions for their organizations. By offering both the upsides and downsides to every IT solution and consideration, expectations are managed and the transparency yields better results.