With cyberattacks occurring just about everywhere, at least one pocket of enterprise—small businesses—doesn’t seem very concerned.
Sixty-eight percent of small business CEOs are not worried about their business being hacked and 90% are at least somewhat confident that their business would be able to recover from a hack, according to a survey by Paychex. This is counter to the National Cyber Security Alliance, which says more than 70% of cyberattacks target small businesses and the cost of recovery can be enough to permanently force an organization out of business.
The businesses that are not wary are making a big mistake, experts say.
“Attacks prey on those who either don’t know what to look for in one or don’t have the resources to fend those attacks off,” said Ryan Barrett, vice president of security and privacy at Intermedia. “This is why small- and medium-sized businesses are frequent targets of attacks.”
Small businesses “either cannot afford to fend off phishing attacks through expensive, specialized programs, or simply don’t have the wherewithal to do so in the first place,” Barrett said. “Since they’re small businesses, they may assume cybercriminals will ignore them for the bigger fish in the pond.”
And what the businesses don’t realize is that they can also be used as a small, but profitable, steppingstone toward attacking larger organizations with which they do business.
Small businesses must treat their IT security as they would physical security—that is, only granting access to exactly what the user needs within the network, and closing off areas that they aren’t permitted to access, said Sam Elliott, who specializes in IT security at Bomgar, a provider of secure access solutions.
"Small businesses are particularly vulnerable because they often possess richer data than average consumers, but generally lack the protections most larger businesses have in place," said Todd Colvin, senior director of data systems and security at Paychex, in a release announcing the survey results. “Short of putting in place a broad suite of cyber security protections, small businesses would be served well by following basic computer hygiene practices such as implementing a documented information security policy, logical access restrictions, robust logging and review, device and application patching—all year long," Colvin said.
While most respondents indicated a lack of concern about the threat, 10% admitted to having been the victim of a small-scale attack, and 9% said they'd been victims of a large-scale national or international attack such as Ransomware or Wannacry.
Of perhaps greater concern is that in addition to professional cybercriminals, employees can pose a risk, as well. Ten percent of CEOs surveyed reported having discovered an employee inappropriately disclosing confidential business information online, either by accident or on purpose, and 9% suspected an employee of doing the same.
"Hiring the right employees who possess similar values from the start can have a positive impact on an organization's overall security," Colvin said. "Conducting a thorough background check is a critical component to making the right hire and is a step in the hiring process that should happen no matter what the position."
The Paychex survey polled 341 principals of U.S. companies with 1 to 500 employees.