Most business owners are overconfident about their small business cybersecurity postures. Two-thirds of senior-level decision-makers who participated in a 2019 survey said they didn’t believe the small- to mid-sized businesses (SMBs) for which they’re responsible would fall victim to a digital attack. Within this prevailing view, many respondents didn’t view small business cybersecurity as important. Therefore, they didn’t have a plan to protect their employer against digital attacks. Just 9% of survey respondents cited digital security as the most important factor facing their SMB; double that amount ranked digital defense as least important. At the same time, 60% of business leaders revealed that they didn’t have a cyberattack prevention plan. A quarter of respondents stating that they wouldn’t know where to even start with SMB cybersecurity.

What’s Behind This Bravado?

There’s a tendency for SMBs to underestimate their digital security risks by thinking that digital attackers are inclined to go after enterprises only. But don’t let this swagger fool you. It doesn’t reflect the reality of small business cybersecurity.

The truth is threat actors behind today’s most common cybersecurity risks go after SMBs in nearly half (43%) of digital attacks, reported CNBC at the end of 2019. It’s thus not surprising that two-thirds of SMBs globally had actually reported a digital attack in the preceding year. (It was even higher for U.S. businesses at 76%, noted the Ponemon Institute and Keeper Security.) Those attacks ended up causing data loss in 63% of cases.

The problem is that SMBs lack cyber insurance and other means that could help them absorb the estimated $200,000 price tag of a data breach. In response, 60% of SMBs that have fallen victim to a data breach end up closing six months later, reported Inc.

Don’t Forget About the Influx of New Tech

The issue is that SMBs are downplaying the importance of small business cybersecurity while still expanding their attack surfaces.

Sometimes, they know what’s up, while other times, they don’t. Take mobile use as an example. Close to half (48%) of respondents said they used mobile devices to access more than 50% of business critical apps, reported the Ponemon Institute and Keeper. That’s one percentage point less than the respondents who realize how this practice undermines their small business cybersecurity posture.

It’s a different story with Internet of things (IoT) devices, though. Four-fifths of respondents to that same study said that their SMB had suffered a security incident as a result of an unsecured smart product. Even so, just 21% of respondents revealed that they actively monitor their business’ IoT devices for security risks.

The Door’s Wide Open

The findings discussed above provide a snapshot into how employers think of small business cybersecurity. In the case of mobile, they have employees who are knowingly going against security best practices. With IoT, they have yet to act upon risks that have helped to produce incidents in the past.

Together, these forces leave the door open for all kinds of threats to ravage SMBs’ networks. Chief among them is ransomware. Information Security Buzz pointed out that more than half (55%) of ransomware attacks now involve companies with fewer than 100 employees. Part of the reason why this is so is because SMBs lack proper data backup solutions. Ransomware attackers figure that small businesses will be more inclined to pay the ransom.

The Way Forward for Small Business Cybersecurity

Small business cybersecurity won’t change unless someone at the top supports it. For many, this support is lacking. Close to a third (32%) of SMB respondents to a 2020 study named a lack of budget as the greatest barrier to digital security.

Therefore, someone in IT or security might need to try to gain C-suite buy-in for an overhaul. People trying to change this can begin by trying to orchestrate their asks around areas where the business already expects to see growth. That could make it easier for executives to approve funding in those areas.

But first, they need to understand what’s being said. Hence why it’s crucial for people arguing for better protection to speak the language of risk. Use metrics that illustrate how certain small business cybersecurity threats undermine the employer’s business goals. This could include creating a proof-of-concept for a proposed solution or process. It should show how it can save the business time and money.

With that buy-in from higher up, they can focus on small business cybersecurity basics. Consider using asset discovery tools to build an inventory of all mobile devices, IoT products and other hardware connected to the network. They can then use network segregation, security configuration management and other controls to monitor those devices within their own network zones. It could also involve pairing those with data backup tools to limit the potential scope of a successful ransomware infection.

Keeping Employees in the Loop

At the same time, they’ll want to make sure their employees know what’s expected of them. They can create a small business cybersecurity awareness training program towards that end. Regular trainings will not only keep employees familiar with their employer’s policies, but also keep them informed about some of the new types of attacks in the wild.

Not all SMBs will know how to do those types of things on their own, of course. That doesn’t mean that they need to give up, though. It just means they might be better off working with a managed security service provider that has a history of helping SMBs to secure their networks while driving the growth of their business.

No One’s Too Small for Small Business Cybersecurity

SMBs make an alluring target for digital threat actors. Like large enterprises, they contain personal data, IP and other sensitive information. However, they might not think need to protect it despite possibly having suffered an attack in the past.

In the end, there’s no room for overconfidence when it comes to small business cybersecurity. No business is too small to be targeted. That’s why it’s essential for SMBs to make some changes and to take their security seriously in 2021.

More from Mobile Security

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

Switching to 5G? Know Your Integrated Security Controls

5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted network and application/data delivery function. How does one build a secure 5G network that provides the level of trust required by users today and in the future? The Benefits of 5G 5G's new use cases come from: Customized network slices…