Only 4 percent of U.S. small business owners have implemented all the cyber security best practices and recommendations from the U.S. Small Business Administration, a recent Nationwide survey of 400 U.S. small business owners found.
Those best practices include the following:
- Establish security practices and policies to protect sensitive information
- Educate employees about cyber threats and hold them accountable
- Require employees to use strong passwords and to change them often
- Employ best practices on payment cards
- Make backup copies of important business data and information
- Create a mobile device action plan
- Protect all pages on your public-facing websites, not just checkout and signup pages
Still, 65 percent of business owners said they've been hit by a cyber attack, with virus attacks the leading type at 33 percent, followed by phishing at 29 percent. And 86 percent of business owners believe that digital risk will continue to grow.
"The scary truth is that many small business owners, even if they are aware of these risks, have not implemented all the proper measures of protection," Nationwide vice president of cyber insurance Catherine Rudow said in a statement.
Eighty-three percent of small business owners allow employees to work securely from a remote location when needed, but just 50 percent have updated their remote work security policies in the past year.
One in five small business owners haven't committed their employees to formal cyber security training. That's even more true for smaller companies – 30 percent of companies with 11 to 50 employees haven't done so.
"Many employees may not realize the magnitude of risk associated with a cyber-attack as they may not have engaged in a formal training process," Rudow said.
A Daily Threat
A separate study by the U.K.'s Federation of Small Businesses (FSB) found that British small businesses are hit by almost 10,000 cyber attacks a day.
Twenty percent of small businesses said they'd been hit by a cyber-attack within the past two years, a total of more than 7 million individual attacks.
The annual cost of those attacks to the small business community is estimated at £4.5 billion, with an average cost per attack of £1,300.
In the past two years, 530,000 small firms were hit by phishing attacks, 374,000 were hit by malware, 301,000 were hit by fraudulent payment requests, and 260,000 were hit by ransomware.
Still, as with the Nationwide survey, the FSB found that small businesses aren't taking the threat as seriously as they should.
Thirty-five percent of small firms haven't installed security software over the past two years, 40 percent don't regularly update software, and a similar proportion don't back up data and IT systems. Less than half have a strict password policy for devices.
"These findings demonstrate the sheer scale of the dangers faced by small firms every day in the digital arena," FSB policy and advocacy chairman Martin McTague said in a statement.
"More small firms are waking up to the threat of cybercrime," McTague added. "It's a threat that's evolving rapidly, but too many small businesses still lack access to the resources and budgets needed to contain it."