CNBC and Momentive have conducted a new survey that suggests small businesses in America are either at low risk of being hacked or extremely confident about their position in the evolving cybersecurity threat.
Uncertainty about the answer to this question can be troubling for Main Street customers.
CNBC – Momentive Q3 Small Business Survey contains what appear to be contradictory findings.
A net 56% of small-business owners in America said that they don’t worry about being the victim to a hacker within the next 12 month. 24% stated they weren’t concerned at all.
Only 13% of the 42% are “very concerned” among those who are net concern.
59 percent of small business owners are confident that they can resolve any cyberattack quickly. Only 37% of respondents were net insecure, and 11% were not at all confident.
Only 28% of small businesses stated that they have a plan for responding to a cyberattack in case it happens. Nearly half of small businesses (42%) stated they don’t have a plan. 11% said that they weren’t sure if they had one. Cyber insurance is only 25% of respondents.
An encouraging sign is that 14% of respondents said that although they do not have a cybersecurity response plan at the moment, they are working on one.
CNBC – Momentive Q3 2020 Small Business Survey was completed July 26 to August 3. It included over 2,000 small-business owners from across the U.S.
David Kennedy, founder and former hacker and TrustedSec CEO, said that “It’s an heads-in-sand time for lots of these businesses.”
Kennedy stated that small and medium-sized businesses are the most common demographic for incident response. This number can reach as high as 85 percent.
Kennedy stated that although headlines about attacks by the nation-state or supported attacks on major corporations like the JBS meat packing attacks and Colonial Pipeline attacks can make small businesses think they are not worthy of being targeted, hackers are targeting all businesses.
“We have seen family pizza shops that are only one person be compromised. One-person retail shops have been compromised. He said that independent Uber drivers were targeted.
There are many types of “bad actors”, including those who just started out hacking and then move on to more advanced hacking. Individual hacks and organized cybercrime are at the lowest levels. However, small businesses can be hacked using business email compromise schemes.
“They will pursue mom-and-pops, and may only get $3,000 to $5,000, but that’s the way it all started. Kennedy stated that ransomware was started by grandma and grandpa hacking infrastructure.
According to him, the number one issue is not having a plan to respond to cyberattacks. 1.
He said that “every organization is vulnerable” and that not only are they not prepared but also have “a few IT support guys and none dedicated to security.”
Derek Manky, chief of security insights and global threat alliances for FortiGuard Labs at Fortinet, stated that small businesses are becoming more vulnerable as the attack surface grows with IoT, remote working, and an explosion in endpoints to manage. Small businesses often find themselves in the worst position based on their in-house resources to deal with an attack.
He stated that SMBs are at greater risk than ever, citing data from 2019 showing that small businesses are the number one target. 43% of all 2019 data breaches were caused by criminals.
Many small businesses have had good luck so far. According to the Q3 CNBC-Motive Small Business Survey, only 14% of small businesses have reported being hacked. Recent events indicate that this could increase as more businesses adopt digital platforms as a mainstay and allow workers to work remotely.
Ransomware attacks that have made headlines recently don’t appear to have affected small businesses. Only 7% of small businesses respond to CNBC or Momentive when asked if they’ve ever been ransomware victims. This was in 2020 and 2021. 51 percent of respondents said they paid ransom. 24% said they did it themselves, 27% claimed cyber insurance covered it.
Manky, citing IBM data, stated that “Once an attacker is successful, the average time it takes to detect the threat is over 210 days, while the mean time it takes to contain/respond to is 75 days.”
Kennedy believes that the biggest misunderstanding is that boards and business owners don’t view cybersecurity as a core business risk. He also stressed that just because a company invests more in cybersecurity, it does not mean that they are better prepared. It’s more about planning and awareness.
The survey found that 67% of small businesses are spending the same amount on cybersecurity this year as last year, while 22% are spending more.
Security is a must if you are doing business today. Kennedy stated that you are playing Russian Roulette, and it is only a matter time before you get hit.
Kennedy says that small businesses who think patching and installing antivirus software will suffice to protect themselves and their clients are not considering cybersecurity a business risk.
He said, “That’s not going to protect you organization.” “I can assure you that more than half of the respondents to your survey who said they felt confident in responding to an attack will have a poor security program.”
A survey found that 76% of small businesses believe they should have to inform customers if their Main Street business has been hacked.