A new survey conducted by CNBC and Momentive suggests that small businesses across the U.S. must be at little risk of being victims of a hack, or they are supremely overconfident about their place in the growing, national cybersecurity threat.
For Main Street customers, not knowing the answer to that question may be unsettling.
The CNBC | Momentive Q3 Small Business Survey includes what seem to be a series of contradictory findings.
Among America’s small business owners, a net 56% said they are not concerned about being the victim of a hack in the next 12 months, and among those, 24% said they were “not concerned at all.”
Among the 42% who are net concerned, only 13% described themselves as being “very concerned.”
Small business owners also are majority confident (59%) they can quickly resolve any cyberattack. Only 37% were net not confident and only 11% “not confident at all.”
And yet, only 28% of small businesses said in the event of a cyber attack they have a plan in place for response. Almost half (42%) said they have no plan; 11% revealed they were “not sure” if their business had a plan in place. Only about one-quarter (26%) say they carry cyber insurance.
An encouraging sign: 14% said that while they currently have no cybersecurity response plan, one is in development.
The CNBC | Momentive Q3 2021 Small Business Survey was conducted July 26-August 3 among over 2,000 small business owners across the U.S.
Kacper Pempel | Reuters
“It’s a heads-in-sand moment for lots of these business,” said David Kennedy, founder of cybersecurity company TrustedSec and a former hacker himself.
Kennedy said the highest demographic of incident response for his firm is small- and medium-sized businesses — as high as 85%.
The headlines about nation-state or nation-state-backed attacks on major companies, such as the recent JBS meat packing and Colonial Pipeline attacks, can lead small businesses to conclude they are too small to be targeted, but there are hackers of all sizes targeting all sizes of businesses, Kennedy said.
“We’ve seen one-person family pizza shops be fully compromised. We’ve seen one-person retail shops compromised. Independent Uber drivers targeted,” he said.
The various types of “bad actors” out there include those just starting out in building their hacking infrastructure and pulling off the equivalent of hacking petty crimes before generating the cash to invest in more sophisticated attacks. The lowest levels of organized cybercrime and individual hacks successfully use business email compromise schemes to extract money from small firms.
“They will go after mom-and-pops and may only get $3,000 or $5,000, but that’s how it all starts. That’s how ransomware started, grandma and grandpa in churches, and how they invested more in hacking infrastructure,” Kennedy said.
He said not having a plan in place to respond to a cyberattack is the No. 1 issue.
“Every organization is susceptible,” he said, and it is not only that many don’t have plan, but have just “a few IT guys and no one dedicated to security.”
Derek Manky, chief, security insights & global threat alliances at Fortinet’s FortiGuard Labs, said small businesses are increasingly in a vulnerable position as the attack surface continues to grow with IoT, remote work, and the explosion of endpoints that must be managed. And, small businesses are often in one of the least favorable positions based on the in-house resources available to them to resolve an attack.
“The risk has never been higher for SMBs,” he said, citing a 2019 data point showing that small businesses are target No. 1 for criminals and represented 43% of all 2019 data breaches.
So far, many small businesses have been lucky. Only 14% of small businesses say they have been hacked, according to the results of the Q3 CNBC | Momentive Small Business Survey. But recent events suggest that could rise in the future as more businesses were forced to adopt digital platforms during the pandemic as a mainstay as well as allow workers to operate on a remote basis.
If you’re doing business today and have any IT footprint you have to be doing security as part of it. You are basically playing Russian Roulette and it is only a matter of time before you are hit.
David Kennedy, founder of cybersecurity company TrustedSec
The ransomware attacks that made recent headlines don’t seem to have hit the small business sector by and large. When asked if they have ever been the victim of a ransomware attack, only 7% of small businesses tell CNBC and Momentive that they had been in 2020 or 2021. About half of those (51%) said they paid the ransom — 24% paid it on their own; 27% said cyber insurance covered it.
“Once an attack is successful, the average time to detect the threat sits over 210 days while the mean time to contain/respond is 75 days,” Manky said, citing IBM data.
The big misunderstanding, in Kennedy’s view, is business owners and boards not viewing cybersecurity as a core risk like any other business risk, such as the supply chain or hiring. And he stressed that spending more in cybersecurity does not necessarily mean a firm is better preparing itself. It is more about the awareness and planning process.
In the survey, 67% of small businesses said they are spending the same on cybersecurity as they spent last year; 22% said they are spending more.
“If you’re doing business today and have any IT footprint you have to be doing security as part of it. You are basically playing Russian Roulette and it is only a matter of time before you are hit,” Kennedy said.
Any small business that thinks patching their software and installing the latest antivirus will be enough to protect them and their clients is not viewing cybersecurity as a business risk, according to Kennedy.
“That isn’t going to protect your organization,” he said. “I can guarantee you that from the 59% of your survey audience that said they were confident about responding to an attack, more than half have an inadequate security program.”
One survey finding that at least shows if your Main Street business is hacked, you will hear about it: 76% of small business say they should be required to disclose a hack to customers.