Small Businesses and the Cyber Security Conundrum

We live in a digital world.

Technology advancements have made it possible for businesses to send payments to another country with the click of a button, expand globally, and easily stay in communication with customers and partners.

But as with any gain, there also comes risk. And for businesses, the risk of those digital advancements is the threat of cyber attacks.

While cyber crimes are certainly not a new issue since hackers have been finding ways to target businesses since the dawn of the internet, with every passing year it becomes an increasing concern with costlier ramifications.

In fact, cyber theft is now considered the fastest-growing crime in the US.

In 2017, a business was the victim of a ransomware attack every 40 seconds. That sounds like a lot, but consider this: it’s projected that come next year, a business will be targeted by a ransomware attack every 14 seconds.

What’s more, by 2021, cyber crime damage is projected to cost the world $6 trillion annually.

And while no one disputes the dangers of cyber attacks, there are questions about just how seriously small businesses are taking cyber security and the role they play in the global response to these crimes.

The Numbers: Small Businesses and Cyber Attacks

So just how often are small businesses being targeted by cyber attacks?

According to recent studies, a lot.

A report from the Ponemon Institute found that the percentage of small and medium-sized businesses that experienced a cyber attack in a 12-month period rose to 61% in 2017, up from 55% in 2016. Of those that get hacked, 60% of small companies go out of business within six months following a cyber attack, according to the National Cyber Security Alliance.

Despite the number of small businesses that are targeted by hackers, the Ponemon Institute report found that only 39% think the technologies used by their organization can detect and block most cyber attacks, while just 21% rated their cyber security measures as highly effective. And even though ransomware incidents are increasing, only 50% said the prevention of such attacks is a high priority.

What’s more, those numbers may not reflect the real extent of how many small businesses are hacked. A Better Business Bureau survey of small business owners found that about 10% of respondents were unsure if they’d been the target of a cyber attack.

That may sound a bit surprising to some. After all, how could a business not know right away when it’s been attacked? But it’s actually more common than you may think.

Part of the reason that cyber attacks have increased so dramatically is that hackers have become more sophisticated in recent years. One report determined that the global average time to detect a cyber attack is 146 days.

That’s a lot of time to do a lot of damage.

Why Aren’t Small Businesses Investing More in Cyber Security?

With so many small businesses targeted, why are there still many that don’t take effective measures to protect themselves against cyber attacks?

For many small businesses it comes down to the price tag. The costs associated with cyber security are often perceived as being higher than what a lot of small firms can afford. But the reality is that the price that follows a cyber attack is much greater.

According to the Ponemon Institute report, following a cyber attack, the average costs for small and medium-sized businesses in 2017 was $1,027,053 due to damage or theft of assets, and $1,207,965 from disruption of normal business operations.

Plus, the Better Business Bureau survey found that only 35% of small businesses could remain profitable for more than three months if they permanently lost access to essential data due to a cyber attack. More than half of respondents indicated they would be unprofitable in less than a month.

There’s also a bit of a delusion among small businesses when it comes to cyber threats. Without question, the majority of small business owners are aware of cyber crime activity, but many view it as an issue that is more pertinent to large corporations. A KPMG study found that 85% of small businesses felt they were less likely to be the target of a cyber attack than a big corporation.

Undoubtedly, one of the main reasons for this mistaken perception comes down to an issue of visibility. When large companies get hacked the news is splashed across headlines. Take, for example, last year’s huge data breach at Equifax. News of the breach was endlessly covered by major media outlets and was still making headlines more than a year after the incident. A cyber attack at a small firm with less than 100 employees isn’t going to draw the same level of attention.

That lack of visibility creates a troublesome cycle: small businesses don’t hear about other small businesses getting hacked, so they assume the situation doesn’t apply to them. It’s a way of thinking that can get small business owners in serious cyber security hot water.

Because it’s that exact way of thinking that hackers count on and capitalize on.

In fact, small businesses are routinely used by hackers as an entryway to big companies. Cyber criminals will often target smaller firms that are connected to large corporations. Target’s massive 2013 data breach is a prime example. The entry point that hackers used to access the company’s database was determined to have come through an HVAC vendor. The breach ended up affecting 40 million customers and required Target pay $18.5 million to settle claims.

Plus, let’s not forget that there are 30.2 million small businesses in the US, which provides a lot more targets for hackers compared to the country’s 19,464 large companies.

By not having sufficient security measures in place, small companies are playing right into the hands of cyber criminals.

What’s Being Done to Increase Small Business Cyber Security

The issue of cyber security among small businesses will only intensify as more develop an online presence.

To help address the matter, the Federal Trade Commission (FTC) recently launched new cyber security resources geared towards small businesses. The materials cover topics that are relevant to small businesses and educate owners about the dangers of cyber threats and the need to take precautions when building an online presence.

“This new national cybersecurity education campaign grew out of discussions we had last year with small business owners across the country about cybersecurity challenges,” explained Rosario Méndez, an attorney with the FTC’s Division of Consumer and Business Education, in a blog post.

Having resources is great, but it can be difficult for small businesses to implement and fully utilize this information since affordability is the main roadblock when it comes to cyber security. With this in mind, New York City recently launched a “moonshot challenge” that calls on industry experts to develop innovative, affordable, and scalable solutions that will protect small firms from cyber attacks.

“How might we make every small and midsize business in New York City and beyond as resilient to cybersecurity attacks as a Fortune 500 company?” reads the challenge’s website.

With $1 million up for grabs, the challenge, which has support from several international partners to help foster global collaboration, will announce the winners in summer 2019.

Since cyber criminals are becoming stealthier, the status quo won’t suffice for combating cyber attacks. One technology gaining more ground to help tighten up cyber security measures is blockchain.

The advantage with blockchain is that essential data is decentralized, making it extremely difficult for hackers to compromise the information. What’s more, because blockchain eliminates most of the human element from data storage, the technology dramatically decreases human error occurrences, which is the most significant cause of data breaches.

One of the reasons that blockchain has gained popularity in cyber security is its flexibility for use in any industry to prevent any type of data tampering. (Even Facebook has started exploring blockchain opportunities.)

As a report from Deloitte explained: “Today, if an attacker gains access to a blockchain network and the data, this does not necessarily mean the attacker can read or retrieve the information. Full encryption of the data blocks can be applied to data being transacted, effectively guaranteeing its confidentiality, considering the latest encryption standards are followed.”

Unfortunately, there is no immediate solution to solving the growing global problem of cyber attacks. That means that for small companies, cyber security needs to become a regular part of business planning. Just as with big corporations, consumers expect a level of security with small businesses.

But while large companies can usually survive a data breach, for small business owners their very livelihood, as well as the livelihood of their employees, is on the line with a cyber attack.

With so many emerging resources and technologies, there’s no longer any excuse for leaving cyber security on the back burner.

An “it’s not going to happen to me” outlook just isn’t going to cut it.