The truth behind 5 small business cybersecurity misconceptions

Cyberattacks impacting large enterprises and government agencies are often featured prominently in news cycles. On the other hand, small business cybersecurity breaches are generally less likely to become major headlines.

Perhaps this lack of media coverage is one reason why one survey found a majority (51%) of small businesses don't have any cybersecurity measures in place.

Yet, small business owners should be wary of this and other cybersecurity misconceptions because they can place their businesses in jeopardy. Here we examine the truth behind some common myths and what smaller companies can do to help protect themselves—even without the resources of larger organizations.

One of the most common small business cybersecurity misconceptions is the idea that attackers only target large organizations. When asked why they don't have any cybersecurity measures in place, 59% said they were too small to be a target.

At first, this might seem to make sense because it's understandable to assume attackers have more to gain by launching attacks against larger businesses. You might think, for instance, that threat actors wouldn't bother launching ransomware attacks against smaller companies because they are unlikely to be able to pay a significant ransom.

The reality, though, is attackers frequently target small organizations. Small businesses were the majority of victims reporting to the FBI in 2021. According to research from the Hiscox Group, companies with revenue between $100,000 and $500,000 are just as likely to be attacked as those earning between $1 million and $9 million.

Indeed, when small businesses forgo basic protections, they become easier targets, which may make them more attractive even if the amount of money attackers can extract from them is lower.

Another common small business cybersecurity misconception is the idea that small businesses can't afford it. Around one-fifth (19%) of small businesses without cybersecurity protection cited cost as the reason. They may believe they can't afford advanced vulnerability scanners or security monitoring software, for instance, or that hiring cybersecurity experts is out of their budget.

Many security solutions may be designed for larger organizations and their larger IT staff, but this doesn't mean affordable cybersecurity solutions for small businesses don't exist. On the contrary, many of the most effective cybersecurity protections, such as multi-factor authentication for devices and applications and security monitoring built into internet connectivity plans, may be quite affordable and relatively easy to implement.

They may not require the purchase of expensive enterprise cybersecurity software, and you can typically use them even if you don't have a professional cybersecurity staff.

Similar to the misconception that cybersecurity for small business being too expensive is the idea that it is easy to recover from an attack. A CNBC survey of small business owners in Q4 2022 found 64% believe they can quickly resolve any cyberattack. After all, why spend money on a problem when the cost is not significant? Unfortunately, this is not the case.

Insurance company Nationwide surveyed small businesses about their views on the cost of a cyberattack and how long it would take them to recover. Two-fifths of small business owners expect a cyberattack to cost less than $1,000, while 60% think it would take under three months to fully recover. Yet data from Nationwide cyber insurance claims show the recovery cost of breaches generally ranges between $15,000 to $25,000; the average recovery time is 279 days.

According to the Verizon 2023 Data Breach Investigations Report (DBIR), ransomware is the most common method of attacking small businesses, and 95% of all ransomware incidents (for small and large organizations) involved losses of up to $2.25 million. Per the DBIR Small Business Snapshot, bad actors used system intrusion, social engineering, and basic web application attacks in 92% of small business breaches with 98% of motives reported as financial gain.

Whether due to how hackers are portrayed in popular culture or U.S. government warnings about possible pro-Russian cyberattacks, many are concerned with the impact threat actors may have on their business. When asked who might be behind an attack on their small business, the leading responses were professional hackers in the U.S., foreign-based professional hackers, organized criminal groups, and amateur hackers or hacktivists.

This view is not one of the dangerous cybersecurity misconceptions that may place your business at risk, but it is missing an important component—your employees. According to the DBIR, one-third (34%) of attacks on very small businesses (10 staff members or fewer) originated internally, and a grudge was a motive in 1% of breaches involving small and medium businesses (SMBs).

It's important to recognize that employees can cause damage without acting maliciously. One mistaken click can be all that is needed—the human element was involved in 74% of all breaches analyzed according to the DBIR.

The fact that nearly three-quarters of attacks involve the human element shows why cybersecurity misconceptions can be so damaging. If anybody can potentially cause a breach, then everybody has a role to play in protecting your business. This is why cybersecurity training is so critical.

The potential impact of a breach is another reason why small business cybersecurity should not just be the concern of your IT team (assuming you have one). All aspects of the company can be impacted:

• Finance will need to be aware of the bottom-line impact of any breach.
• Operations will need to consider how to maintain business continuity if some or all systems are offline or otherwise impacted.
• Legal will need to monitor any potential legal consequences, including fines.
• Marketing, customer relations, and sales will be concerned about the reputational impact of any breach, particularly if it involves sensitive customer information—87% of small businesses collect personal information from customers.