A new survey by CNBC and Momentive suggests that small businesses in the United States should be at little risk of being hacked, or they are extremely confident about their place in the growing national cybersecurity threat.
For Main Street customers, not knowing the answer to this question can be confusing.
CNBC | The Momentive Q3 Small Business Survey includes what appears to be a series of conflicting results.
Among US small business owners, 56% net said they were not worried about being the victim of a hack in the next 12 months, and among them, 24% said they were “not worried at all “.
Among the 42% net concerned, only 13% say they are “very worried”.
Small business owners are also overwhelmingly convinced (59%) that they can resolve any cyberattack quickly. Only 37% were not confident and only 11% “not at all confident”.
And yet, only 28% of small businesses said that in the event of a cyberattack, they had a response plan in place. Almost half (42%) said they had no plan; 11% said they were “not sure” if their business had a plan in place. Only about a quarter (26%) say they have cyber insurance.
Encouraging sign: 14% said that while they currently have no cybersecurity response plan, one is in development.
CNBC | The Momentive Q3 2021 Small Business Survey was conducted from July 26 to August 3 among more than 2,000 small business owners in the United States.
“This is a time of confrontation for a lot of these companies,” said David Kennedy, founder of cybersecurity firm TrustedSec and himself a former hacker.
Kennedy said the highest incident response demographic for his business is small and medium-sized businesses – up to 85%.
Headlines about nation-state or nation-state-backed attacks on large corporations, such as the recent JBS attacks on meat wrap and the Colonial pipeline, may lead small businesses to conclude that they are too small to target, but there are hackers of all sizes. targeting all sizes of businesses, Kennedy said.
“We’ve seen one-man family pizzerias totally compromised. We’ve seen one-man retail stores compromised. Independent Uber drivers targeted,” he said.
The different types of “bad actors” include those who are just beginning to build their hacking infrastructure and performing the equivalent of petty crime hacking before generating money to invest in more sophisticated attacks. The lowest levels of organized cybercrime and individual hacks successfully use business email compromise schemes to extract money from small businesses.
“They’ll go after moms and dads and maybe only get $ 3,000 or $ 5,000, but that’s how it all starts. That’s how ransomware started, Grandma and grandfather in churches, and how they invested more in infrastructure hacking, ”Kennedy said.
He said not having a plan in place to respond to a cyberattack is problem # 1.
“Every organization is susceptible,” he said, and not only do many have no plan, but just “a few IT people and no one dedicated to security”.
Derek Manky, head of security intelligence and global threat alliances at Fortinet’s FortiGuard Labs, said small businesses are increasingly vulnerable as the attack surface continues to grow with the IoT, the work remote and exploding endpoints that need to be managed. And, small businesses are often in one of the least favorable positions based on the internal resources they have to resolve an attack.
“The risk has never been higher for SMEs,” he said, citing a 2019 data point showing small businesses are the # 1 target of criminals and accounted for 43% of all breaches data in 2019..
So far, many small businesses have been lucky. Only 14% of small businesses say they’ve been hacked, according to CNBC Q3 results | Momentive Small Business Survey. But recent events suggest that may increase in the future, as more companies have been forced to adopt digital platforms during the pandemic as a mainstay and allow workers to operate remotely.
The ransomware attacks that grabbed the headlines recently do not appear to have hit the small business sector as a whole. When asked if they had ever been the victim of a ransomware attack, only 7% of small businesses told CNBC and Momentive that they had been in 2020 or 2021. About half of them (51%) said they paid the ransom – 24% paid this on their own; 27% said cyber insurance covered it.
“Once an attack is successful, the average time to detect the threat is over 210 days while the average time to contain / respond is 75 days,” Manky said, citing data from IBM.
The big misconception, according to Kennedy, is that business owners and boards don’t view cybersecurity as a critical risk like any other business risk, like supply chain or hiring. And he stressed that spending more on cybersecurity doesn’t necessarily mean a business is preparing better. It’s more about the awareness-raising and planning process.
In the survey, 67% of small businesses said they spend as much on cybersecurity as they did last year; 22% said they spent more.
“If you are doing business today and you have a computer footprint, you have to do security within it. You are basically playing Russian roulette and it is only a matter of time before. that you don’t get hit, ”Kennedy said.
Any small business that thinks patching their software and installing the latest antivirus will be enough to protect it and their customers don’t see cybersecurity as a business risk, according to Kennedy.
“It will not protect your organization,” he said. “I can assure you that of the 59% of your audience who said they were confident in their ability to respond to an attack, more than half have an inadequate security program. “
A survey found that at least if your Main Street business gets hacked, you’ll hear about it: 76% of small businesses say they should be forced to disclose a hack to customers.