[BreachExchange] When Small Businesses Don’t Realize They’re Cyberattack Victims

Thu Oct 12 18:34:11 EDT 2017

https://www.pymnts.com/news/b2b-payments/2017/nationwide-
says-smbs-vulnerable-to-cyberattacks/

A significant portion of small businesses (SMBs) may not even know they
have been a cyberattack victim due to a lack of understanding as to what
constitutes a cyberattack, according to new research from insurance firm
Nationwide.

This week, the company published the results of a survey of 1,069 U.S.
businesses with between one and 299 employees to understand how small firms
are addressing the widespread, complex threat of cyberattacks. But the
survey, now in its third year, has also uncovered a significant gap in the
understanding of what can be considered a cyberattack in the first place.

According to researchers, only 13 percent of small businesses said they
have experienced any form of cybercrime.

But when small business owners were shown a list of different types of
cyberattacks, the percentage of firms that said they had fallen victim to
one of these tactics spiked to 58 percent. According to Nationwide, the
data reveals “a 45 percent gap and lack of understanding about what
constitutes an actual attack.”

Computer viruses were the most commonly cited form of attack, with 36
percent of small businesses saying they have been hit by this type of
threat. Nearly a third said they had fallen victim to a phishing attack,
while more than 10 percent each said they were the victim of a Trojan horse
or a hacking incident.

Less than 10 percent each said they were the victim of a data breach,
ransomware, some type of issue related to unpatched software, unauthorized
access to company data and unauthorized access to customer data.

Compounding the issue of SMBs not understanding what may be considered a
cyberattack is the fact that the majority of companies surveyed do not have
a dedicated employee or third-party monitoring cybersecurity efforts, “and
therefore,” Nationwide said, they “could be victims without even knowing
it.”

More than three-quarters don’t have a response plan in the event of a
cyberattack, and more than half said they don’t have any plan to protect
employee or customer data.

“Cyberattacks are one of the greatest threats to the modern company,” said
Nationwide President of Property & Casualty Mark Berven in a statement.
“Business owners are  telling us that cybercriminals aren’t just attacking
large corporations on Wall Street. They’re also targeting smaller companies
on Main Street that often have fewer defense mechanism in place, less
available capital to reinvest in new systems and less name recognition to
rebuild a damaged reputation.”

Once hit with a cyberattack, the effects can be disastrous for small
businesses, Nationwide researchers found.

More than a fifth of small businesses hit with an attack said they spent at
least $50,000 to remedy the issue and that the entire process to regain
control of systems, address any data breaches and ensure businesses were
secure following an attack took longer than six months. A significant
portion, 7 percent, said it took more than $100,000 to address the issue,
while 5 percent said it took longer than a year to rebuild both their
company’s reputation and customer trust following a cybercrime incident.

Nationwide also warned that while small business owners understand what
they have to do to stay secure, they aren’t taking action.

For instance, 85 percent told researchers that they agree it’s important to
protect against viruses, spyware and the like, but only 65 percent actually
actively do so. Similarly, 85 percent agree it’s important to secure
company networks, but only 58 percent do so.

Similar gaps exist in small business owners’ understanding of the
importance of backing up critical data, establishing security policies,
controlling physical access to company devices and educating employees
about cyber threats — and actually following through with these initiatives.

And as companies are increasingly using technologies like the Internet of
Things and artificial intelligence, they’re also increasing their exposure
to cybercriminal spyware, Nationwide warned.

Nationwide’s report follows data released last month from MYOB that found
87 percent of small businesses actually consider themselves safe from a
cyberattack (only 10 percent said they don’t consider themselves safe).
Only about half of small businesses said they planned to improve
cybersecurity efforts, while more than a third admitted they don’t have the
expertise to adequately address the threat.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171012/291021b0/attachment.html>