Corporate cybersecurity is an ever-increasing focus of government entities, with the U.S. Federal Trade Commission (FTC) the latest to place emphasis on the importance of safeguarding data and systems.
Late last week, the FTC rolled out a series of informational resources for nonprofits and small businesses (SMBs) to heighten awareness and understanding of cybersecurity threats and how to mitigate them. In a post on its Business Blog, the FTC laid out the Cybersecurity Basics, introducing steps that small business owners can take when starting out on their cybersecurity journeys.
"As a small business owner, you know that cybercriminals will steal data any place they can find it, whether it's from a global giant or a Main Street store," the FTC wrote, pointing to the importance of multi-factor authentication, staff training, operating system and browser updates, and other tactics that entrepreneurs should deploy. Yet, the data suggests that small businesses may not be aware of the risk they face from cybercriminals.
A new white paper from QuickBridge found an estimated 50 percent of small businesses that fall victim to a cybercrime are unable to recover and, as a result, are forced to shutter their doors. The statistic implies that SMBs generally lack the understanding about the risk size of a cyberattack — or, if they do, they have not taken sufficient action to safeguard against an attack or prepare for recovery efforts for if and when they are targeted.
"With risk rising at an alarming rate, small businesses must prepare themselves to not only keep attackers at bay, but also to respond effectively in the event of a disaster," said QuickBridge President Ben Gold in a statement announcing the white paper, "Cybersecurity and Small Businesses: Are You Protecting Your Customers?"
Other experts have similarly raised concerns over small businesses' inability to recover post-cyberattack.
"Sometimes, it's because they can no longer protect a piece of intellectual property they had hoped to copyright, or maybe they just lost access to so much data that they have no way to rebuild and no way to contact their clients," said Ray Sidney-Smith, a cybersecurity expert who spoke at a Central Virginia Small Business Development Center cybersecurity conference last week, according to The Daily Progress reports. "But many times, it's literally just the shame they would feel in reporting the attack to customers and law enforcement."
As a small business lending company, QuickBridge noted that small businesses must have access to working capital to adequately recover from a cyberattack. Looking at research from the Identity Theft Resource Center, QuickBridge pointed to small businesses in the healthcare, banking and finance, and retail sectors as particularly popular targets for cyberattackers.
Patterns are also emerging in the type of information attackers are seeking from small business targets, the QuickBridge report found. For example, the number of instances in which attackers went after Social Security numbers increased eightfold between 2016 and 2017. Small businesses that fail to safeguard not only their own data, but their customers' data as well, "can lead to an immediate loss of trust," the report said.
Like the FTC, QuickBridge emphasized the role of employee training in protecting against cyberattacks. With malware often finding its way into an enterprise via phishing emails that fool employees, adequate worker education is paramount.
"Many attacks directly target employees, making cybersecurity employee training and education critical to your data protection efforts," the report concluded.
The FTC may be confident that small businesses are aware of the threat of data breaches and cyberattacks, but with so many SMBs falling victim to attacks and failing to recover, there may be larger gaps in awareness and education among the small business community than previously thought.