America has more than 30 million small businesses with fewer than 500 employees apiece. These companies pay almost half the wages in the country and are huge engines for job creation. For too many of them, however, cybersecurity isn’t a pressing priority.
We learned this in the Q1 AppRiver Cyberthreat Index for Business, which surveyed more than 1,000 small to midsize businesses. The results reveal that 58% of respondents consider the importance of cybersecurity to be “high” or “very high.” Another 78% say that cyberthreats are on their mind some of the time. These are positive signs, but they’re not the most revealing takeaways.
The survey also finds widespread anxiety about cybersecurity. More than half of the respondents feel they don’t invest enough in cybersecurity, and 45% feel vulnerable to imminent attack. Taken together, these stats reveal something troubling: SMB owners know that cybersecurity is a major threat, yet they feel unprotected and unable to improve.
Almost half of SMBs (48%) believe that a major breach would permanently shut down their business. That number shot up significantly among financial services and insurance SMBs, with 71% saying that a major data incident would be fatal. Healthcare and business consulting SMBs followed at 62% and 60%, respectively.
Help From the NIST?
The fact that small businesses face higher cyberthreats is not new. Hackers have long known that smaller companies tend to have less robust cybersecurity and valuable resources to exploit. In no uncertain terms, that makes these businesses low-hanging fruit for cybercriminals.
In response, regulators passed the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act in 2018. The law requires the NIST to provide small and midsize businesses with cybersecurity resources and best practices. The agency does this primarily in the form of an in-depth document available for download.
The depth of that document turns out to be its best — and worst — feature. It undeniably includes a lot of valuable, actionable information. From the perspective of a small business owner with limited disposable time and technical expertise, however, it’s basically impenetrable. Translating the recommendations into realistic plans takes more input than most executives are willing to invest. As a result, meaningful improvements to cybersecurity might not ever be implemented.
As important and valuable as the NIST cybersecurity framework is, small business CEOs shouldn’t consider it a comprehensive response to cybersecurity. Rounding out the protection — and minimizing the anxiety — involves going above and beyond what the NIST recommends.
Fighting the Good Fight
Employees are on the front lines of cybersecurity, especially at small businesses. They are the ones who will inform, plan, and carry out the actual strategy. They also will be the first ones to encounter attacks, meaning each one is an important gatekeeper. Shoring up cybersecurity begins and ends with empowering employees.
Use these strategies to ensure that everyone adds to the effort:
1. Invest in employee training
People’s understanding of cybersecurity varies widely, even among the technologically literate. To guarantee that everyone has the same cybersecurity mindset and skill set, companies are increasingly investing in formal employee training programs. The market for training has topped $1 billion, and the total is expected to grow to $10 billion annually by 2027 as more users spend more time online. Cybersecurity training is quickly being seen as a basic component of computer literacy, so companies should start treating it like a crucial component of employee onboarding.
2. Prioritize two-factor authentication
The flip side of prioritizing cybersecurity training is acknowledging the vulnerabilities that employees create even with great training. Many of these relate to password security, which is why two-factor authentication, also known as 2FA, should become the standard. Research shows that less than 10% of users have 2FA set up on their Gmail accounts, so there’s a lot of room for improvement on this issue. Considering how easy and effective this one security measure is, there’s no excuse to not use it.
3. Choose the cloud first
Whereas 81% of all SMB decision makers say they use cloud-based solutions to store their confidential data, a surprising 44% are concerned about the security of the cloud and another 19% don’t believe it offers convenience as a benefit. That’s problematic. Relying on cloud-based technologies is a shortcut to completing a lot of the work in the NIST framework. Cloud providers stake their reputations on being able to secure the cloud from threats and recover client data if there is ever any kind of issue. Those are also priorities in the NIST framework. By relying on cloud providers to deliver the recommended levels of security, small businesses can avoid doing it themselves.
4. Work with managed service providers
Estimates suggest there are 100,000 managed service providers ready to assist America’s small businesses. When cybersecurity talent is unavailable for any reason, managed cybersecurity providers are available to pick up the slack. That can come in the form of consulting or technology, but in either case it helps small businesses maximize the impact of their cybersecurity budget. Just as importantly, it helps these businesses avoid the pitfalls that come from relying entirely on internal resources for cybersecurity.
Takeaway
Small business CEOs need to remember two things. First, an attack on small businesses is an attack on everyone. These businesses and their employees are too important to the American economy to overlook as we collectively begin grappling with cybersecurity. Second, it’s important to understand that cybersecurity is confusing. Small businesses can’t be blamed for their lack of expertise, but they can be blamed for their lack of action.
For CEOs to get in front of this issue, they need to make their own workforces as secure as possible. Then they need to acknowledge where the weaknesses and vulnerabilities remain and bring in outside assistance. Accordingly, the very best response to cybersecurity is not to be anxious, but to be realistic instead.