Follow the leader? When it comes to small business (SMB) cybersecurity, perhaps not. A new report form IT consulting firm Switchfast revealed the mistakes professionals make that expose their firms to cyber risks, with everyone from CEOs to entry-level employees making some missteps. Interestingly, though, in many cases, it's the business leaders who are performing worse than employees when it comes to protecting business data.
In its "Cybersecurity Mistakes All Small Business Employees Make, From Entry Level To The C-Suite" report, Switchfast examined the survey results of 600 small business professionals and 100 C-Suite level leaders. The findings revealed the many ways that business leaders are trailing behind employees in their cybersecurity measures, starting with misperceptions about the threat of a cyberattack.
Fifty-one percent of the surveyed leaders believe their small business is not a target for cybercriminals, compared to just 35 percent of employees who said the same. It's a dangerous misconception, considering the factors that make SMBs prime targets for attackers: A lack of IT or security personnel offers easy access to company funds. According to Switchfast, 46 percent of the 30 million small businesses in the U.S. today will become victims of cyberattack, and 60 percent of those victims are likely to go out of business within six months of suffering a data breach.
Business leadership failing to recognize the threat of cyberattacks can get a business started on the wrong foot of its security strategy.
Take multi-factor authentication (MFA) of emails, a basic security step: Three quarters of business leaders have not activated MFA for their work emails, researchers found, compared to 69 percent of employees. More than one-fifth of small business leaders have admitted to sharing their passwords with a co-worker or assistant, compared to 19 percent of employees.
Thirty-five percent of business leaders said they don't know what a clean desk policy is, an initiative that sets standards for how employees should secure their desk space when they leave.
According to Switchfast, SMB leaders' inability to recognize these threats and understand the measures they need to take to safeguard company data may explain why these firms "don't prioritize security education and best practices." With business leaders' ignorance of cybersecurity, phishers are stepping up their attacks, elevating their strategies to what's now known as "whaling." While phishing emails will target employees (seeking requests for fund transfers, bank credentials or other sensitive information with fake invoices or dodgy links), whalers are targeting business leaders with these tactics.
"With approximately 20 percent of small business leaders having fallen victim to a phishing scam before, companies should be concerned with how their leadership teams are taught to recognize and respond to whaling schemes," the company stated in its report.
There are several areas in which business leaders perform better than employees, including use of public Wi-Fi: While two-thirds of employees have used public Wi-Fi to do work, only 44 percent of business leaders said the same. Public Wi-Fi is an easy opportunity for cybercriminals to infiltrate networks and access sensitive company information, particularly as more businesses store key documents on the cloud, researchers noted. A smaller portion of business leaders were also found to be using their work computers to access personal social media accounts compared to employees, another way to expose a business to cyberthreats.
However, business leaders are responsible for education of employees when it comes to cybersecurity. In that regard, research suggests they're struggling: 35 percent of employees said they don't know if their firms have an incident response plan in place.
"Businesses also can’t address what they don’t know," Switchfast concluded. "If cyberthreats aren’t treated as a priority by SMB leaders, then employees will also adopt a blasé attitude [toward] security."