Does your favorite yoga studio or local ice cream shop have a cybersecurity risk management plan? If not, they may be putting their sensitive data- or yours- at risk of cybertheft.
According to new research from insurance firm Nationwide, a significant percentage of small businesses may not know they have been a cyberattack victim due to a lack of understanding as to what constitutes a cyberattack.
Nationwide’s annual survey of business owners found that 13 percent said they experienced a cyberattack.
However, that number jumped to 58 percent of owners who identified as victims when shown a list of specific examples of attacks, including phishing, viruses and ransomware – revealing a 45 percent gap in lack of understanding about what constitutes an actual attack.
“Although awareness is increasing, small-business owners are still not even realizing when they’ve been victims of cyberattacks,” said Karen Johnston, technical consultant for Nationwide. “Small-business owners have a misconception that cybercriminals are only targeting large corporations, but that couldn’t be further from the truth.”
According to Nationwide’s third annual survey of 1,069 business owners with 1-299 employees, more than 20 percent of cyberattack victims spent at least $50,000 and took longer than six months to recover. But 7 percent spent more than $100,000, and 5 percent took a year or longer to rebuild their reputation and customer trust.
Part of the problem facing a business’ ability to recover from an attack, is that a majority of owners are not prepared. Most don’t have a cyberattack response plan in place (76 percent), a plan to protect employee data (57 percent) or a plan to protect customer data (54 percent).
Nationwide also warns that as companies are increasingly using technologies like the Internet of Things and artificial intelligence, they’re increasing their exposure to cybersecurity breaches.
“Cyberattacks are one of the greatest threats to the modern company,” said Mark Berven, president of Property & Casualty for Nationwide. “Business owners are telling us that cybercriminals aren’t just attacking large corporations on Wall Street. They’re also targeting smaller companies on Main Street that often have fewer defense mechanisms in place, less available capital to re-invest in new systems and less name recognition to rebuild a damaged reputation.”
While the majority of business owners say it’s important to establish cybersecurity best practices recommended by the U.S. Small Business Administration, fewer report actually following these best practices:
- Protect against viruses, spyware and other malicious code: 85 percent said it was important versus 65 percent actually doing so
- Secure your networks: 85 percent versus 58 percent
- Make backup copies of important business data and information: 85 percent versus 59 percent
- Establish security practices and policies to protect sensitive information: 83 percent versus 50 percent
- Control physical access to computers and network components: 81 percent versus 60 percent
- Require employees to use strong passwords and to change them often: 80 percent versus 52 percent
- Educate employees about cyber threats and hold them accountable: 76 percent versus 42 percent
- Protect all pages on public-facing websites, not just the checkout and sign-up pages: 74 percent versus 42 percent
- Employ best practices on payment cards: 73 percent versus 47 percent
- Create a mobile device action plan: 64 percent versus 26 percent