Small business cyber security continues to be a huge focus for us here at CSID. They are an especially vulnerable group for cyber threats because they store more information than individuals, but have fewer resources to defend themselves than large enterprises. Cyber criminals have caught on and have small businesses in their crosshairs more than ever. Symantec recently reported that over 60 percent of all attacks in 2014 were directed towards small and midsize companies in its 2015 Internet Security Threat Report.
To better understand how small businesses are approaching risk mitigation and response, we recently conducted a survey of small business owners in the United States. The key finding: Small businesses are more at risk than they think, and are not taking proactive steps or allocating budget to defend against attacks.
The survey revealed other interesting trends. While most small businesses are concerned about cyber attacks (58 percent), more than half (51 percent) are not allocating any budget at all to risk mitigation. Notably, small business reported the reason why risk mitigation is not a financial priority is because they feel they don't store any valuable data. Yet a whopping 68 percent reported that they store email addresses, 64 percent store phone numbers and 54 percent store billing addresses - all of which are significant pieces of information to cyber criminals. This indicates a significant educational disconnect: many small businesses do not understand the value of personally identifiable information (PII), and how it puts them at risk.
Understanding the activities that put a business at risk and how a compromise occurs can help small businesses stay one step ahead of cyber threats. We see a variety of common attacks targeted at small businesses through phishing and other tactics, including Denial of Service (DoS) attacks, malware, and zero-day attacks. As these attacks continue to become more sophisticated, it has become significantly more difficult for the average business owner to identify these attacks without the support of a third-party monitoring service.
While the majority of small businesses are concerned about cyber crime, the survey revealed that they are doing little to proactively prepare for cyber attacks. Only 38 percent of small businesses reported that they regularly upgrade software solutions, only 31 percent monitor business credit reports, and only 22 percent encrypt databases.
To bridge this education gap and prompt small businesses to mitigate their risk of cyber attacks, it will take a collaborative effort on the part of both the security industry at large and the public and private sectors to raise awareness around this issue. Cyber security best practices must become top-of-mind for small business owners as they work to define their business plans and corporate cultures. As employees are often the weakest link in a business' security, employee education is key; including enforcement of policies around passwords, bring your own device (BYOD) and social media. Last but not least, enlisting in third-party services to monitor business information will be essential in arming small businesses with the tools they need to help keep their business secure.
With the rise in attacks on small businesses, it's becoming less a question of if a small business will be hacked, but rather, when. The good news: by committing to raising awareness around the issue, we can help small businesses ensure they're taking every necessary step to protect themselves against cyber threats so they can focus on running their business.