Why Small Businesses Don’t Care About Cyber Security

Image

With millions of small businesses out there, why don’t they care about cyber security? You may be reading this and own a small business or know someone that does. Think to yourself: why would small businesses not care about cyber security? You may find that it is not a problem of caring but a problem of understanding. Let’s take a look at some of the different reasons why small businesses don’t care about cyber security. A recent report shows that nearly 60 percent of small businesses will close within six months after experiencing a cyber attack. Why is this number so high? Well, like all small businesses, cash flow is limited, resources are tight, and everyone is wearing a lot of hats to cover different business responsibilities. Do you think a small business has a cyber security team on hand just waiting to respond to an attack? You may want to think again.

Do small businesses not care about cyber security?

Let’s start by assuming it is not that small businesses don’t care; it is that they don’t see cyber security as a risk... yet. Typically, a small business doesn’t identify a risk until they experience a loss or problem of their own. Let’s take inventory, for example. If a small business runs out of inventory, chances are that will disrupt the entire business, upset customers, create financial losses, and negatively affect the reputation of the business. The process of keeping inventory on hand is a necessity to keep the business running. Now the business has learned that if it runs out of inventory, it will directly impact its own success. So, how can we translate this concept to cyber security? Management and the business’ employees haven’t experienced a cyber attack that has actually impacted their operations. Listening to the news is one thing, but experiencing a cyber attack is something else. Some thoughts that come to mind from small business owners are as follows: "This can’t happen to me; our business is too small; who would even try to hack us; I don’t have data anyone wants." Talk to any small business owner, and you will probably hear one of those phrases. These are all myths, and small businesses have to understand the reality of this next statement.

"It is not a matter of if you will get hacked, but a matter of when."

How Small Businesses Can Increase Cyber Security

Even if the small business knows the risks and believes they will get hacked, how do they handle the budget issue? Most, if not all, small businesses don’t have an IT department. Typically, there is someone in charge of setting up computers, issuing phones, setting up email accounts, and managing the company files. But there are a few simple and effective steps small businesses can take to increase their cyber security posture and protect against cyber threats.

• Security Awareness Training

Hands down, security awareness training is one of the most effective ways to prevent a cyber attack against your small business. The majority of threats arrive at your employee’s inbox through phishing scams and other social engineering attacks. Training your employees how to defend against phishing, ransomware, removable media and malicious websites is a necessary component in a business' digital security strategy. Even covering how to create secure passwords is necessary to keep your business protected from hackers and defend against the evolving threat your employees face today.

• Password Manager

Along with keeping strong passwords, employees tend to forget them. Not only do they forget them, they also write them down and tell each other about them. Even worse, they skip that all together and end up using baseball17 or something similar as their password for everything. Most small businesses don’t feel that they can fall victim to an attack. Something important to teach your employees is that if they use a personal password for work and their personal account gets hacked, the hacker can use that password to attempt to access their work accounts. Using a password manager can help protect those online accounts and keep your business safe.

• Regular Risk Discussions

Similar to when we discussed that losing inventory will make a major impact for small businesses, we need to identify the other risks that affect our organization. Things such as: what happens if a disaster strikes? Does your organization have a backup if the building caught on fire? Has anyone ever thought of computer equipment getting stolen? What if your computers get hit with ransomware and they demand payment of $100,000? Should your company pay it? All of these scenarios are experiences that are not fun to deal with but can realistically happen to a small business. Your organization should be aware of the different risks it faces and how to prevent those risks.

Image

About the Author: Nick Santora is the CEO of Curricula, a cyber security education company located in Atlanta, GA. Curricula provides cyber security awareness training and NERC CIP compliance training solutions using an innovative story based learning approach. You can follow Curricula on Twitter @Curricula or check out their website at www.GetCurricula.com Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.