The last several years have been tough for small businesses. Strong demand amid short supply and high inflation is the economic backdrop today, and big businesses largely have been holding their own because of their heft, sophistication and strong vendor ties. It has been a tougher road for many small and medium-size businesses, however, reflecting less supply chain buying power and less ability to boost wages amid a tight labor market.
On top of that, cybersecurity is taking its toll on small business. Because many SMBs haven’t been taking cybersecurity seriously, they’re being breached markedly more. Small businesses have accelerated their adoption of new digital technologies for remote work, production, and sales, just as big companies have. But they haven’t followed through with significant cybersecurity spending, even though their expanded computer networks have created new vulnerabilities for phishing and ransomware attacks.
The risk of a cyber-attack for SMBs – already typically higher than the risk for big companies – has grown dramatically over the past couple of years. During 2020 and 2021, data breaches at small businesses globally soared 152% in comparison to the two previous years, according to RiskRecon, a MasterCard unit that assesses companies’ cybersecurity risk. This figure is twice as large as it was among larger companies in the same period.
In addition, a 2021 study by IBM revealed that 52% of small businesses had experienced a cyberattack in the previous year – a figure likely higher now because there are even more cyber-attacks. Meanwhile, a recent survey by UpCity, a Chicago-based business service provider, found that only 50% of U.S. small businesses have a cybersecurity plan in place for 2022. While a small improvement from the past, this still means that 50% don’t have a plan – a significant issue given that virtually everything has become digital.
Protecting a business today requires cyber protection, including trained cybersecurity personnel and some sort of data recovery and business continuity plan. Unfortunately, however, too many small business owners still believe they are too small for cybercriminals to worry about, and don’t have enough data to warrant a breach.
One important reality is that cyberattacks at big companies are far more likely to catch the eye of federal law enforcement. So, criminals have increasingly targeted smaller businesses knowing their defenses are typically far weaker.
Another frequently misguided notion among small business owners is the financial reality of a cyber breach. Many still think it’s mostly about the payment of immediate damage and repair. In fact, much more than this falls on the general accounting ledger, including ransomware payments, lost productivity, increased payroll hours, investigations, regulatory filings and frequent legal expenses.
Small businesses need to find ways to more generously finance cybersecurity and seriously plan and create security procedures. They also need to adopt ways to better protect data and connected devices from cyberattacks, which like security procedures, is largely about strategy, not finances.
Some cybersecurity strategy tips:
Make security part of your company culture. Studies have found that the human factor was involved in more than 85% of breaches, whether it entailed falling for a phishing attack or using easily decipherable passwords. These can be mitigated through expansive awareness programs that don’t stop with a playbook of possible attacks. They also infuse safety into the organizational fabric, constantly reminding employees of their responsibility to keep the organization safe.
Deploy malware prevention software and keep it updated. It would be best to have software that protects devices from viruses, spyware, ransomware and phishing scams. Make sure it’s updated regularly.
Require use of strong passwords and two-factor authentication. The easiest way to break into a business network is by guessing passwords. Most people use a single password for multiple sites and accounts. All employees should have unique passwords for each of their accounts. Password managers are the best method for achieving this goal.
Back up data regularly. It’s best to have multiple backups of company data. This way, if you become the victim of various cyberattacks, you’re not totally locked out.
Limit employee access. It makes sense to segment and limit employees to only the systems and data they must access. If tight access controls are maintained, you’ll limit the damage that any single user can do to your network security.