Should Small Businesses Worry About Cybersecurity?
Should smaller business worry about cybersecurity? We hear this question often. Just as often, we hear excuses about why smaller businesses don’t need to worry about cybersecurity. The problem with these excuses is that they’re not rooted in any understanding of the cybersecurity threat landscape. The simple answer is: small businesses need to worry just as much as large businesses about cybersecurity, regardless of whether they can invest as heavily in their defenses. The fact is cybersecurity can pose a catastrophic risk to any business and unfortunately smaller businesses are quite often the most vulnerable.
To understand why small businesses need to worry about their cybersecurity, let’s start by dissecting the most common arguments (excuses) small businesses might offer to justify avoiding serious thought or investment in cybersecurity.
- “We’re too small to be a target”
- “Even if we worry about it, we cannot invest enough to stop it, so why bother”
- The cost to improve cybersecurity outweighs the cost of the threat to smaller businesses
- “It won’t happen to us”
Is your businesses too small to be targeted by cyber criminals?
This is the most common argument from small business leaders about why cybersecurity is not really a concern they need to worry about. I understand how they came to this line of thinking. They watch the news, and they see the headline worthy cyber-attacks against name brands like Target, Home Depot, LinkedIn, Sony, etc. Since the attacks on these industry behemoths are often highly targeted, conducted by sophisticated cybercriminals, and sometimes backed by nation-states, it is easy for small business leaders to look at those examples in the news and comfort themselves with the seemingly logical conclusion that their business would never be worth it for these bad actors.
Unfortunately, this line of thinking ignores the reality, which is that cyber-attacks, data breaches, etc., are common across all size of businesses. The media isn’t going to publish articles about the everyday occurrence of cyberattacks on small businesses because it won’t grab readers’ eyeballs. This gap in news coverage creates a very dangerous perception gap in the business world about who’s at risk from cybercriminals. The reality is that cybersecurity threats are widespread, and every business is a ‘target’.
Let me clarify ‘target’ for a moment, because there’s so much misperception about cybercriminals’ targets that it’s worth its own sidebar. Due to how cyberattacks are covered in the news, there’s a perception they’re always highly ‘targeted,’ as if all the cybercriminals are like snipers that stalk the target, wait for an ideal angle, then let off their precise shot. While that does happen, that’s not the profile of most cybersecurity incidents. Most cyberthreats are indiscriminate. Sticking with the war comparison, most cyberthreats are more akin to biological weapons attacks that infect and spread with little or no regard for target-selection and without any ongoing top-down control. So, yeah, sure, your small business likely won’t be ‘targeted’ by sophisticated hacker teams backed by the North Korean military, but that does not mean you won’t be targeted.
So small business are a target, but what’s even more alarming, is that all the cybersecurity trends only point to the threat growing at astounding rates.
Still skeptical about this point. That’s okay, you don’t have to take my word for it, let’s look at the numbers:
- 43% of cyber-attacks target small businesses.
- There is a hacker attack every 39 seconds, affecting 1 in 3 Americans every year, according to a study at the University of Maryland.
- 64% of companies have experience web-based cyberattacks.
- 62% experienced phishing and social engineering attacks.
The numbers don’t lie, the threat is pervasive, and every business is a potential victim.
Hopefully at this point, you accept that the cybersecurity threat does pertain to your small business. Accepting the problem is the first step, but now you’re thinking, “Okay, what can I do about it?’ Specifically, the next question you might be thinking is….
How much does a small business need to invest to improve their cybersecurity?
Here are some quick actions you can take right away to improve cybersecurity, at little to no cost.Enable Multi-Factor Authentication (MFA) on all of your critical accounts, software, and systems
The Cost: In most cases the cost is $0 to enable MFA
If there’s a cost, it may just require a few hours from your IT administrators/consultants to enable MFA on certain systems. This is a great breach prevention method and it’s free or nearly free so go do this, now!
Implement complex password requirements
The Cost: In most cases, the cost is $0
All you must do is set and enforce a company policy mandating the use of complex passwords. There are tools to force complex passwords on certain systems and like MFA it may require a few hours from your IT admin or consultants to enact those policies.
Invest a small amount in email security for a high return on investment
The Cost: Email security software is $3 - $8 per month per mailbox
Email security solutions can greatly reduce the risk of email-based threats. There may be a small one-time cost (<$2,500) to implement a solution if you need an outside consultant to do it for you. This is a high return on investment though, because these costs are minimal, and because email phishing is a huge threat. Phishing attempts have grown 65% in the past year, 76% of businesses reported being a victim of a phishing attack in the last year, and phishing attacks account for 90% of data breaches. In other words, a small amount of money can dramatically decrease your risk of becoming a victim via the #1 source of cyberthreats.
Invest in cybersecurity training for your staff
The Cost: Generally, web-based cybersecurity training will cost between $2 - $5 per month per team member.
Like email security, there may be a very small setup cost (<$,2000). A well-trained and aware employee can be one of the best lines of defense. A little training goes a long way towards tuning employees’ radars to potential threats, inappropriate actions or data-use, and how to handle potential incidents to minimize impact.
As you can see, you don’t need to invest anything to improve your security and for very small investment, you can make big strides in the right direction. Don’t let the lack of a huge cybersecurity budget be your excuse!
Does the cost of improving cybersecurity outweigh the benefits for small businesses?
If you read the last section, you can probably answer this without my commentary. If not, here’s the short answer: yes. Should a small business spend every dime of free cash flow on cybersecurity? No, of course not! Aside from being impractical, that expense may not outweigh the benefit. But no one is suggesting you hog-wild with your cybersecurity budget in a small business. What we’re suggesting is that you at least look at your cybersecurity and invest in it much like you invest in insurance. You’re likely spending hundreds or thousands a month on insurance to protect against all manner of other risks. I’d argue that you should at least invest a fraction as much in cybersecurity, because the benefits will certainly outweigh the cost.
The investment can be a pretty insignificant amount for most businesses, so then what’s the benefit? Well, potentially a lot of money saved, and that’s just in terms of explicit cost, before accounting for things like sleeping peacefully, protecting your goodwill with clients and staff, etc. How much am I talking about? Let’s look at some numbers: Kaspersky Lab reports the average cost of a data breach for a small business in North America is as high as $117,000. Other sources, including Gartner, have pegged the average cost of cyber-attacks on small business at around $38,000. Maybe your cost won’t be that high, but I can tell you this from a decade plus of hands on experience: One successful ransomware attack that infects your systems will come with a starting cost of $10,000 - $20,000 just to properly clean up the initial mess (that’s not even considering the cost of paying the ransomware). Again, that’s just the explicit cost, not the true cost.
In summary, you can invest around $1,000 a year per 10 employees and drastically reduce the risk of an unexpected $10,000 - $117,000 (or more) event. The costs of cyberbreaches are so catastrophic, that they quite often are business-ending events. Would you bet your entire business to save a few grand?
What’s the risk of a cyberattack happening to your small business?
If you’re going to be in business for any significant amount of time, the odds are high you’re going to face a cyberattack at your small business. If you still doubt that, please re-read the statistics at the beginning of the article and note that the number of threats is growing at alarming rates year over year.
In other words, the question is not IF it will happen, but simply when and how bad.
Hopefully, after reading this, you already recognize that the “It won’t happen to us” line is just willful ignorance. Pretending a risk does not exist, does not make it go away. It just helps you reconcile the cognitive dissonance in your own mind, but that attitude does you a huge disservice. Failing to acknowledge and address the cybersecurity risk leaves you, your employees, your customers, your business, and any other stakeholders, exposed to risk you could have better managed. In other words, don’t be a helpless victim. You deserve better and you can have better cybersecurity.
Hopefully this article, at the least, persuaded you to care and to take some action to protect your small business. If you’re ready to take steps in the right direction, and want some guidance from cybersecurity experts, Framework is happy to help!