When Small Businesses Don’t Realize They’re Cyberattack Victims

A significant portion of small businesses (SMBs) may not even know they have been a cyberattack victim due to a lack of understanding as to what constitutes a cyberattack, according to new research from insurance firm Nationwide.

This week, the company published the results of a survey of 1,069 U.S. businesses with between one and 299 employees to understand how small firms are addressing the widespread, complex threat of cyberattacks. But the survey, now in its third year, has also uncovered a significant gap in the understanding of what can be considered a cyberattack in the first place.

According to researchers, only 13 percent of small businesses said they have experienced any form of cybercrime.

But when small business owners were shown a list of different types of cyberattacks, the percentage of firms that said they had fallen victim to one of these tactics spiked to 58 percent. According to Nationwide, the data reveals “a 45 percent gap and lack of understanding about what constitutes an actual attack.”

Computer viruses were the most commonly cited form of attack, with 36 percent of small businesses saying they have been hit by this type of threat. Nearly a third said they had fallen victim to a phishing attack, while more than 10 percent each said they were the victim of a Trojan horse or a hacking incident.

Less than 10 percent each said they were the victim of a data breach, ransomware, some type of issue related to unpatched software, unauthorized access to company data and unauthorized access to customer data.

Compounding the issue of SMBs not understanding what may be considered a cyberattack is the fact that the majority of companies surveyed do not have a dedicated employee or third-party monitoring cybersecurity efforts, “and therefore,” Nationwide said, they “could be victims without even knowing it.”

More than three-quarters don’t have a response plan in the event of a cyberattack, and more than half said they don’t have any plan to protect employee or customer data.

“Cyberattacks are one of the greatest threats to the modern company,” said Nationwide President of Property & Casualty Mark Berven in a statement. “Business owners are  telling us that cybercriminals aren’t just attacking large corporations on Wall Street. They’re also targeting smaller companies on Main Street that often have fewer defense mechanism in place, less available capital to reinvest in new systems and less name recognition to rebuild a damaged reputation.”

Once hit with a cyberattack, the effects can be disastrous for small businesses, Nationwide researchers found.

More than a fifth of small businesses hit with an attack said they spent at least $50,000 to remedy the issue and that the entire process to regain control of systems, address any data breaches and ensure businesses were secure following an attack took longer than six months. A significant portion, 7 percent, said it took more than $100,000 to address the issue, while 5 percent said it took longer than a year to rebuild both their company’s reputation and customer trust following a cybercrime incident.

Nationwide also warned that while small business owners understand what they have to do to stay secure, they aren’t taking action.

For instance, 85 percent told researchers that they agree it’s important to protect against viruses, spyware and the like, but only 65 percent actually actively do so. Similarly, 85 percent agree it’s important to secure company networks, but only 58 percent do so.

Similar gaps exist in small business owners’ understanding of the importance of backing up critical data, establishing security policies, controlling physical access to company devices and educating employees about cyber threats — and actually following through with these initiatives.

And as companies are increasingly using technologies like the Internet of Things and artificial intelligence, they’re also increasing their exposure to cybercriminal spyware, Nationwide warned.

Nationwide’s report follows data released last month from MYOB that found 87 percent of small businesses actually consider themselves safe from a cyberattack (only 10 percent said they don’t consider themselves safe). Only about half of small businesses said they planned to improve cybersecurity efforts, while more than a third admitted they don’t have the expertise to adequately address the threat.