I said earlier this week that the trend discussed the most in both casual conversations and formal interviews was the effect of human behavior on cybersecurity. Yet, there was a subtext to every one of those discussions: Small businesses need to step up with their cybersecurity efforts.
An article in Finance & Commerce cited a survey conducted by an insurance company called Hiscox, which found:
small businesses are less likely to make changes to their cybersecurity systems after an attack. Twenty-nine percent said they did nothing after being attacked, compared to 20 percent of larger companies. Small companies are almost as likely to be attacked — 68 percent of small businesses reported at least one in 12 months, compared to 72 percent of larger businesses.
The article went on to point out that the likely reasons small businesses were unprepared had to do with money and time – and I’ll add probably a lack of access to security or IT professionals. However, in my conversations, the real problem is focused on that last statistic – small businesses are just as likely to be attacked, but as security professionals repeated almost verbatim, smaller businesses simply don’t think they are big enough to be a victim. And it is our jobs, as security pros and security media, to convince small business owners and decision makers that by ignoring the problem, they put themselves at huge risk for an attack they may not be able to recover from.
For example, during a conversation with Adam Kujawa and Jerome Segura from Malwarebytes Labs, the topic shifted to phishing attacks and ransomware infections. The men said that with the sophistication in ransomware, hackers will be able to better target their efforts toward larger enterprises that result in much higher payouts. I asked if that falls into this attitude held by many in small business that they aren’t big or profitable enough to be a target. Segura said the bottom line is that the hackers using ransomware want to be paid, and if they can negotiate a payment price with small business, they’ll do it. Segura added:
It’s a numbers game. There are many more small businesses than large enterprises.
And that means more targets who feel they must pay out. And, even if a backup plan is in place, ransomware is still costly for a small business in down time and in expenses to get their system up and running again.
In writing about the RSA conference, Sean Michael Kerner stated in eSecurity Planet that cybersecurity is no joke. This is especially true for small businesses that need to step up their security process before disaster hits.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba