America’s small companies are usually not prepared for a cyber assault
Some of the most notorious cyberattacks against the US in recent years are said to have originated in Russia, including the 2021 attack on the Colonial Pipeline – the largest fuel pipeline in the US – the SolarWinds attack in 2020 and the hacking of the Democratic Pipeline in 2016 National Committee.
Since Russia invaded Ukraine in January this year, the US government has warned of an increased risk of a cyber attack that Russia could use to try to draw the US into direct conflict. Despite the increased threat, small business owners are no more concerned about a potential cyberattack — and no more prepared to deal with one than they were a year ago.
The CNBC|SurveyMonkey Small Business Survey surveys more than 2,000 small business owners each quarter to understand their outlook for the overall business environment and the health of their own business. In the latest survey, only 5% of small business owners said cybersecurity is the top risk facing their business right now.
Quarter after quarter, the number saying cybersecurity is their top risk has remained stable and is the lowest priority out of the five respondents. Over the same period, the number of small business owners who say inflation is the biggest risk to their business has risen from 31% to 38%, ranking the highest for risk. Numbers reporting supply chain disruptions and Covid-19 as the top risk have both declined.
This latest round of the Small Business Survey is the first since the Russian invasion of Ukraine, although international events have not had a noticeable impact on US small business sentiment
Zoom In IconArrows pointing outwards
Cyber security has always been seen as an afterthought by most small business owners when assessing risk.
CNBC|SurveyMonkey Small Business Survey Q2 2022
While not their top concern, nearly four in ten small business owners say they are very or somewhat concerned that their business could be the victim of a cyberattack within the next 12 months. This trend has also continued for four consecutive quarters and has not changed at all since the Russian invasion of Ukraine.
The smallest small businesses are the least concerned about cyberattacks: Only 33% of owners with 0-4 employees fear experiencing a cyberattack within a year, compared to 61% of small businesses with 50 or more employees.
Few small business owners rank cyber threats as their top business risk and less than half view this as a concern, yet a majority express confidence in their ability to respond to a cyber attack. As in previous quarters, about six in 10 small business owners are very or reasonably confident that they can quickly mitigate a cyberattack on their business if necessary.
Cyber disconnection between business owner and customer
This general lack of concern among small business owners is at odds with the mood of the general public. In SurveyMonkey’s own poll, three-fourths of Americans said they expect US businesses to experience a major cyberattack within the next 12 months.
Consumer expectations for cyber preparedness vary from industry to industry. A majority of the population say they trust their banks (71%), healthcare providers (64%) and email providers (55%) to be able to protect them from cybersecurity threats; On the other hand, only 32% expect the social media platforms they use to be prepared.
We see similar results in the small business space. Small business owners in the finance and insurance industries are among those most confident in their ability to respond quickly to a cyber attack; More than seven out of ten say they are able to repel an attack. Among those in the arts, entertainment and recreation industries, that number drops to 50%.
This is important, because any cyber attack – even one that is quickly resolved – can have a lasting negative impact on a company. Consumers would rather not be the victim of a cybersecurity attack themselves, and they are wary of trusting companies that have been compromised in the past. In a survey by SurveyMonkey, 55% of people in the US say they would be less likely to do business with brands that have been the victim of a cyberattack.
For small businesses to be truly prepared, they need to take more concrete steps. Less than half say they have installed antivirus or malware software, strengthened their passwords, or backed up files to an external hard drive to protect their business from potential cyberattacks. Only a third each have automatic software updates enabled or enabled multi-factor authentication. Only a quarter have installed a Virtual Private Network (VPN).
These are basic measures that most companies in America’s corporate world would consider table stakes, but they are admittedly much more costly to implement in a small business environment. Small businesses that don’t take the cyber threat seriously risk losing customers or even more if a real threat emerges.