I’ve had this conversation hundreds of times, so I wasn’t surprised when it came up again—this time with a friend who is also a small business owner. Let’s call him Frank, to protect the innocent here. He owns and operates a successful manufacturing concern. “I’m not sure why I should care about all this cybersecurity stuff,” Frank said. “We’re a small shop, and we don’t have anything of much interest to anyone.”
I’ve heard this so many times; I couldn’t help but sigh. I explained to Frank that the vast majority of attacks on the Internet or the cloud don’t have much to do with any tangible value an organization may have. It’s not like the physical world, where it is time-consuming and risky to check whether doors are locked. Online, it’s fast, cheap, easy and relatively risk-free to find systems that are vulnerable. Then those systems can be used for all kinds of things like launching attacks on other systems. That’s what happened with the Mirai botnet attacks, which commandeered thousands of networked devices to launch attacks on third parties—business partners of Frank’s—who might be juicier targets.
Not to mention, I explained to Frank, his business is a juicy target itself. There are financial threats, bank accounts, employee information, ransomware risks, and competitors may want to attack his business to gain information for a competitive edge. The list goes on.
I was trying my best but making no headway. I could tell by his expression.
You’d think, or hope, that Frank is an anomaly, but he isn’t. Many small business owners and startups think they are not valuable targets. They think they don’t have to worry about sophisticated hackers, or do any more than the bare minimum when it comes to cybersecurity. They couldn’t be more wrong.
Consider a study by Jay Vadiveloo, Director of UConn’s Goldenson Center for Actuarial Research, Cyber Risk for Small and Medium-sized Enterprises, released last week at Travelers Institute’s Cyber: Prepare, Prevent, Mitigate, Restore forum. He found that about half of small businesses reported that they had been victims of a cyberattack in 2014.
Vadiveloo was paraphrased in this story, Cybersecurity: Small Businesses a Big Target, as stating that many small and midsize businesses are targeted because they are unaware of the severity of cyberattacks and lack the proper security measures. “Small businesses harbor the misconception that cybercriminals only target large organizations,” Vadiveloo was quoted as saying.
That’s exactly what I’ve been saying. But here are some highlights from the report:
Cyber risk is a real and growing concern for SMEs.
As SMEs integrate new technology into their business, their cyber risk exposure increases. Businesses must develop an understanding of what cyber risk is and the extent of their recent exposure as it pertains to their business sector.
SME perceptions of cyber risk may not be an accurate measure of what the actual reality for cyber risk is.
More than half of SMEs haven’t realized that they lack adequate protection from cyber threats (KPMG). While some SMEs are aware of these threats, they take no additional preventive measures to protect themselves, as reflected in the budget allocated to IT spending (SANS).
The impact of cyber risk for SMEs is significant.
Once a business has developed an understanding of what cyber risks are, it is crucial that they assess the potential impact of a potential cyber breach on the company. The impact for SMEs may be different than for large businesses, and likewise, an impact for one SME might not be a concern for another. However, in either case, the cyber risk impact for SMEs is very significant as described in the report below.
SMEs face many challenges in the process of reducing their cyber risk.
Because cyber risk is hard to understand, most SMEs lack knowledge of cyber risk and are incapable of handling these cyber risks on their own. Also, myriad cybersecurity solutions are available in the market, but SMEs lack access to reliable guidance on how to create a robust cyber risk management plan. And lastly, although cyber insurance is considered a cybersecurity solution, it is not easily accessible to SMEs.
To me, these findings are no surprise. I’ve helped conduct dozens of surveys over the years and have found lots of Franks out there – they either think they won’t be targeted or are overconfident in their security postures. A few years ago, CSO online colleague Steve Ragan covered a study by Office Depot and McAfee that showed just this. “McAfee says that SMBs are suffering from a false sense of security, basing their claims on a recent study conducted with Office Depot. Those who took part in the study showed a high degree of confidence that their data and devices were safe from attackers, despite industry research and evidence that proves otherwise,” Ragan wrote.
The study, consisting of 1,000 SMB survey respondents, found that “66 percent…were confident that their data and devices were secure and safe from criminal hackers, with 77 percent reporting that their organizations have never been attacked,” Ragan wrote.
But get this: “When asked for details, 80 percent of the respondents to Office Depot’s survey admitted to not using data protection. Only about half of them confirmed that they’re using email and Internet security measures,” he wrote. “And almost all of them—91 percent—said they don’t use endpoint or mobile device security. Yet, the frightening admission comes from the 14 percent of SMB owners who said they haven’t implemented security measures of any kind in their environment.”
Clearly, SMBs, start-ups, and even businesses that consider themselves too boring to target are actually targets and should take steps to protect themselves. I know I haven’t convinced Frank, but I also know that Frank is at risk of paying a big price one day for playing ostrich.