A new survey by CNBC and Momentive suggests that small businesses in the US must be at low risk of falling victim to a hack or that they are extremely certain of their place in the growing national cybersecurity threat.
Main Street customers may find it unsettling not to know the answer to this question.
The CNBC | The Momentive Q3 Small Business Survey appears to have a number of conflicting results.
Of small business owners in the US, 56% said they were not worried about being a victim of a hacker attack in the next 12 months, and 24% of them said they were “not at all worried”.
Of the 42% who are net affected, only 13% describe themselves as “very concerned”.
The majority (59%) of small business owners are also certain that they can solve any cyber attack quickly. Only 37% were not at all confident and only 11% were “not at all confident”.
Yet only 28% of small businesses said they had a plan to respond in the event of a cyber attack. Almost half (42%) said they had no plan; 11% said they were “not sure” that their company had a plan. Only around a quarter (26%) say they take out cyber insurance.
One encouraging sign: 14% said they do not currently have a cybersecurity response plan but are in development.
The CNBC | Momentive Q3 2021 Small Business Survey was conducted July 26 through August 3 among over 2,000 small business owners in the United States
“It’s a head-in-sand moment for many of these companies,” said David Kennedy, founder of cybersecurity company TrustedSec and a former hacker himself.
Kennedy said small and medium-sized businesses are the largest incident demographic response for his business – up to 85%.
The headlines about nation-state or state-sponsored attacks on large corporations, like JBS’s recent meat packaging attacks and the Colonial Pipeline, may lead small businesses to conclude that they are too small to be attacked, but there are hackers of all sizes target all sizes of businesses, Kennedy said.
“We have seen one-person family pizzerias being completely compromised. We saw retail stores being compromised. Independent Uber drivers have been targeted, ”he said.
The different types of “bad actors” out there include those who are just beginning to build their hacking infrastructure and manage the equivalent of hacking petty crime before they make the money to invest in more complex attacks. The lowest levels of organized cybercrime and individual hacks successfully use business email compromise schemes to siphon money from small businesses.
“They’re going to look for mom and dad and maybe only get $ 3,000 or $ 5,000, but that’s how it all starts. This is how ransomware, grandma and grandpa started in churches and how they invested more in hacking infrastructure,” Kennedy said.
He said having no plan to respond to a cyber attack was the number one problem.
“Every organization is vulnerable,” he said, and it is not just that many have no plan, but “a few IT people and nobody who is involved in security.”
Register: CNBC’s Small Business Playbook
This Wednesday, August 11th, come to meet the Head of Small Business Administration, Isabella Guzman; Kevin O’Leary, host of CNBC’s Money Court; and Aaron Rodgers of the NFL for actionable advice to start a small business in the new economy. Register here.
Derek Manky, chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs, said small businesses are increasingly vulnerable as the attack surface continues to grow with IoT, remote work, and the explosion of endpoints that need to be managed. And small businesses are often in one of the most unfavorable positions based on the internal resources they have available to remediate an attack.
“The risk for SMBs has never been higher,” he said, citing a data point from 2019 that shows that small businesses are the # 1 target for criminals, representing 43% of all data breaches in 2019.
So far, many small businesses have been lucky. Only 14% of small businesses say they have been hacked, according to CNBC third quarter results Momentive Small Business Survey. However, recent events suggest that this could increase in the future as more companies were forced to adopt digital platforms as a mainstay and empower employees to work remotely during the pandemic.
If you are doing business today and have an IT footprint, you have to do security as part of it. You are basically playing Russian roulette and it is only a matter of time before you get hit.
David Kennedy, founder of the cybersecurity company TrustedSec
The ransomware attacks that have made headlines in recent years seem, by and large, not to have hit the small business sector. When asked if they were ever a victim of a ransomware attack, only 7% of small businesses told CNBC and Momentive that they were in 2020 or 2021. About half of them (51%) said they had paid the ransom – 24% paid it themselves; 27% said that cyber insurance covered this.
“Once an attack is successful, the average time to detect the threat is more than 210 days, while the average time to contain / respond is 75 days,” Manky said, citing IBM data.
The big misunderstanding, in Kennedy’s view, is that business owners and board members don’t see cybersecurity as a core risk like any other business risk like supply chain or hiring. And he stressed that spending more on cybersecurity doesn’t necessarily mean a company is better prepared. It’s more about the awareness and planning process.
In the survey, 67% of small businesses said they spend the same amount on cybersecurity as they did last year; 22% said they would spend more money.
“If you’re doing business today and you have an IT footprint, you have to do security as part of it. You’re basically playing Russian roulette and it’s only a matter of time before you get hit,” Kennedy said.
Any small business that feels that patching their software and installing the latest antivirus software is enough to keep themselves and their customers safe isn’t looking at cybersecurity as a business risk, Kennedy said.
“It won’t protect your organization,” he said. “I can guarantee you that of the 59% of your respondents who said they were confident they would respond to an attack, more than half had an inadequate security program.”
A survey found that if your Main Street business is hacked, at least you’ll hear about it: 76% of small businesses say they should be required to disclose a hack to their customers.
