One third of small businesses have no safeguards in place to stop a cybersecurity breach – even though 60 percent of those that suffer a breach will go out of business within six months.
That's largely because 51 percent of small business leaders and 35 percent of employees just don't think they're a target for cybercrime, a recent Switchfast survey of more than 600 small business employees and 100 leaders found.
As a result, many are lacking in basic security hygiene: 66 percent of SMB employees and 44 percent of leaders connect to public Wi-Fi to do work, 62 percent of employees and 44 percent of leaders use their work computers to access personal social media accounts, and 69 percent of employees and 76 percent of leaders don't protect their work email with multi-factor authentication.
Thirty-five percent of small business employees have no idea if their company has an incident response plan in place.
"For small businesses, cyberattacks are a matter of 'when,' not 'if,'" the report notes. "Developing a cybersecurity plan beforehand ensures businesses aren't scrambling to stay alive after hackers breach a sensitive server or database."
Stretched Too Thin
But at this point, most small businesses don't have the budget to do so. A separate Untangle survey of more than 350 SMBs worldwide found that 50 percent of organizations polled have annual IT budgets of $5,000 or less, and 50 percent of those have security budgets of less than $1,000.
Just 27 percent of respondents have a dedicated IT security pro on staff; 52 percent distribute IT security responsibilities among other employees.
The biggest challenges SMBs face regarding IT security, according to respondents, are budget constraints (48 percent), limited time to research and understand new threats (37 percent) and lack of manpower to monitor and manage security (34 percent).
Thirty-three percent of respondents have suffered a phishing attack within the last 12 months, 27 percent have been hit by malware, 15 percent have experienced a ransomware attack and 13 percent have been hit by all three.
"SMBs will always have to face limited budgets and resources allocated to IT security," the report states. "However, as hackers become more sophisticated, it is crucial organizations take a proactive approach instead of waiting to see if they become a victim."
A National Effort
These findings come soon after the NIST Small Business Cybersecurity Act was signed into law, requiring the National Institute of Standards and Technology (NIST) to "disseminate clear and concise resources to help small business concerns identify, assess, manage and reduce their cybersecurity risks."
Senator Brian Schatz (D-Hawaii), who co-authored the bill with Senator James Risch (R-Idaho), said that as businesses become increasingly reliant on the Internet to operate efficiently, they remain vulnerable to cyberattacks.
"But while big businesses have the resources to protect themselves, small businesses do not, and that's exactly what makes them an easy target for hackers," Schatz said. "This new law will give small businesses the tools to firm up their cybersecurity infrastructure and fight online attacks."
It's encouraging to see NIST putting a spotlight on the importance of SMB security, SiteLock president Neill Feather told eSecurity Planet by email.
"With businesses large and small struggling to shore up their security, strong guidelines are essential, and the NIST Small Business Cybersecurity Act will go a long way towards addressing the existing shortage in both security expertise and talent," Feather said.