Over a third of small business victims of cyber attacks have lost money, and roughly the same number could remain profitable for three months if denied access to data, according to a study of 2000 businesses by the Belter Business Bureau
But it’s not because they lack security controls. Of the companies surveyed, 79% scan and filter email and web traffic, and find those measures effective. That figure rises to 84% for BBB-accredited — or AB — firms.
The second most widely used tool is training employees on cybersecurity (71%), and third is setting up log-ins and storing data for the long term (57%). In every case, AB firms score higher.
However, there are varying degrees of awareness of cyber threats.
Overall, 76% have heard of phishing, which seems to be the most famous form of attack. Second is ransomware, which 66% are aware of, followed by tech-support phone scams (65%).
But 8% have not heard of any of the risks listed, including Trojans and point-of-sale malware. And overall, the average awareness score is below 60%, leading the BBB to conclude that SMB owners could use more education on the subject.
That said, most respondents are aware of the cyber threat in general. For example, 87% correctly state that small businesses are not safe from cyber attacks.
And 85% rightly agree that “when making an investment in cyber security, you should consider a) the value of the data, b) the probability it can be breached, AND c) the effectiveness or ”bang for your buck” that the new control provides.”
Moreover, 79% noted that over 90% of successful cyber attacks start as phishing emails (but this raises the question of how they would know this when only 76% are aware of phishing).
And many SMBs are seeking information on cyber crime and ways to prevent it. For example, 41% want information on ransomware, and 40% on email encryption.
What kinds of data did respondents lose in cyber attacks?
Passwords and other forms of authentication were lost by 33%, and payment data by 22%. In addition, 21% were robbed of software-based products or other copyrighted material, and 17% lost customers’ personal data.
The most commonly used cyber security measures are antivirus (81% overall) and firewalls (76%). Employee education is a distant third, with 47%.
Of the companies polled, 35% say they could remain profitable for three-plus months if they lost access to essential data. But 19% believe they would last for only one week. However, that number is down from 22% last year.
The BBB reports that the annual average loss for SMB victims is an estimated $79,841, with a maximum total loss of $1 million.
What hinders companies’ cyber security efforts?
For 28%, it’s lack of resources, and for 27%, it's lack of expertise/understanding. For 14%, the hurdle is lack of information, and for another 14%, it's lack of time.
Of the U.S. consumers surveyed for this study, 45% rank the importance of a vendor’s approach to cyber security as very important. Companies are only slightly behind.
In contrast, 27% of companies surveyed say the issue is important, versus 9% of U.S. consumers. Yet 32% of U.S. consumers feel cyber security is very unimportant. And 11% are neutral. Only 10% say it is very unimportant.
In addition to the companies surveyed, the BBB polled 1,100 consumers.