In an Insureon poll of Manta members, we surveyed 2,500 small-business owners on cyber security and what steps they take to protect their businesses from a data breach. Turns out the majority of respondents don't think small business data breaches are a threat. Yikes!
When asked if they feel at risk for a data breach, 82 percent of respondents said no. Why the lack of concern? Perhaps it's because 85 percent of small-business owners said they've never experienced a data breach, and 77 percent of respondents say they take steps to protect their business against cyber crooks.
Let's look at the full survey results:
Do you feel you are at risk of experiencing a cyber attack or breach?
Do you have controls in place to protect yourself from a data breach?
If so, what?
- Anti-malware software: 80%
- Anti-virus software: 89%
- Automated data backups: 66%
- Firewalls: 81%
- Employee IT training: 54%
- Spam filters: 76%
- Automated software updates: 70%
- Regular vulnerability scans: 71%
Have you experienced a data breach in the past?
Do you have cyber liability insurance?
Do you have customer data that would be susceptible to an attack on your business network?
Who manages your company's IT needs?
- A contracted IT worker: 13%
- A third-party IT firm: 12%
- I have a full-time IT employee: 17%
- I do: 58%
Let's look at these results in more detail and review some best practices for small business data security.
Poll methodology: Between October 4 and October 9, 2017, Manta surveyed 2,502 small business owners via an on-site poll. The margin of error is +/- 1.96 percentage points.
Cyber Attacks against Small Businesses Are More Common (and Costly) Than You Think
As we mentioned earlier, 82 percent of respondents said they aren't particularly worried about a cyber attack. But maybe they should be. Of the more than 34,000 cybersecurity incidents that happen daily in the US, 62 percent occur at small and midsize businesses. The 2016 State of SMB Cybersecurity Report even found that 14 million small businesses in the United States have been breached.
Though 85 percent of respondents say they haven't been impacted by a breach, there's still 15 percent who have. Additionally, data breaches in the first half of 2017 were up 29 percent over the same period in 2016, a record year for breaches itself.
At this rate, it may be a question of not if but when a data breach happens.
Even though 76 percent of those surveyed say they don't keep customer data on file, they may have more than they think. For example, businesses that accept credit cards may have those numbers stored somewhere accessible to hackers, such as a computer or POS system. Even employee information is potential targets for thieves (think: Social Security numbers).
For businesses that experience a breach, the fallout isn't cheap. As reported by financial services company First Data, data breaches cost small businesses an average of $36,000 to $50,000 in recovery expenses. While that's chump change for a major corporation, that amount can be devastating for a small-business owner.
To learn more about the high cost of data breaches, read "Why Cyber Liability Insurance Claims Cost So Much."
Small Business Cyber Security Tips You Can Implement Today
The good news is that 77 percent of respondents care about small business network security enough to take steps to protect their business. The security protocols they reported using include:
- Software to prevent malware and viruses.
- Spam filters.
While that's a good start, there's a lot more small-business owners can do to protect their business from cyber thieves. Let's take a look at some other best practices you can add to your cyber security repertoire:
- Update your software. Earlier this year, the WannaCry ransomware held the data of more than 200,000 users The kicker? If users were following security best practices, they never would have been hacked. The ransomware exploited a vulnerability in older versions of Microsoft Windows. That means if the victims had kept up with software updates and patches, their computer would have been protected. Making sure you install software updates is one of the best ways to protect your business against potential viruses and other malware.
- Ensure point-of-sale systems are secure. If you use a point-of-sale (POS) system at your business, take steps to protect customer data. For example, consider using end-to-end encryption software. This immediately encrypts credit card information as it's received, and then again as it's being sent to the software's server. This means even if a hacker manages to install malware on your POS system, your data is still protected.
- Use two-factor authentication. Require anyone using computers at your business to use two-factor authentication as an extra layer of protection. It could be something like answering a security question only the user can answer or having a one-time code texted to the user's phone. That way even if someone manages to steal or guess a password, they still shouldn't be able to gain access to your data.
- Limit access to your website. If someone can log in as an admin to your website, they basically have the keys to your company and sensitive customer data. Protect your site (and your customers) by creating usernames and passwords that are tough to guess, and change them frequently. Also, if you need to share login credentials with an employee or your website administrator, do so in person or by phone.
- Create company IT policies. No matter how small your business is, you should create IT guidelines for your employees to follow. For example, you might require employees to use passwords that are at least 10 characters in length, use upper- and lowercase letters, and require special characters. Consider forcing users to change passwords every few months. It's also a good idea to change passwords any time an employee leaves the company.
- Teach employees how to spot malware and phishers. According to Symantec's 2017 Internet Security Threat Report, one in 131 emails contained malware, the highest rate in five years. All it took was one phishing email sent to an unsuspecting Yahoo employee to result in the exposure of half a billion Yahoo accounts. While the stakes aren't as high for small-business owners, it's still important to teach employees how to spot phishing attempts. Educate employees so they know not to open email attachments from someone they don't know and to hover over URLs before clicking to make sure they are going to a legitimate website.
- Hire an IT expert. Fifty-eight percent of the small-business owners we surveyed said they handle their cyber security needs themselves. While that's one way to save money, most business owners aren't IT experts. This means they may not be current on the most recent cyber security threats, software updates, and more that can help keep their company safe. Even if you don't have the budget for a full-time IT employee, it might be worth it to pay to have an IT expert on call who can ensure your business is following best cyber security practices.
Finally, business owners should consider investing in Cyber Liability Insurance. This insurance can help your business survive a data breach by paying for expenses such as...
- Customer notification.
- Fraud and credit monitoring services.
- Cyber extortion reimbursement.
- Legal expenses, including lawyer fees and damages.
Cyber Liability Insurance helps ensure that if your business experiences a data breach, it has the financial resources to recover from it.