This week marks Small Business Week in Canada, and while small business owners know they are at risk for cyber attacks, they are somewhat at a loss as to what to do. That’s one of the findings of a new report from the Better Business Bureau, The State of Small Business Cybersecurity in North America, released earlier this month as part of National Cybersecurity Awareness Month. One of the more troubling findings is that half of small businesses reported they could remain profitable for only one month if they lost essential data.
“Profitability is the ultimate test of risk,” said Bill Fanelli, CISSP, chief security officer for the Council of Better Business Bureaus and one of the authors of the report. “It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident.”
“Small business owners get it,” Fanelli continued. “When we asked them about the most common cybersecurity threats – ransomware, phishing, malware – they know what’s out there, and most of them have basic protections in place. For instance, 81 per cent use antivirus software and 76 per cent have firewalls. But one of the most cost-effective prevention tools, employee education, is used by fewer than half of the companies we surveyed. Other prevention measures scored even lower.”
Mary O’Sullivan-Andersen, president and CEO of BBB Serving Southern Alberta and East Kootenay, says prevention and consistency is key to keeping sensitive information secure.
“It is crucial to remember that no business, big or small, is immune to data-breaches or other cyber security issues, ” says Mary O’Sullivan-Andersen. “With the advancements of today’s technology also comes safety concerns. The key is to educate staff and employees about business cyber security and practice it regularly.”
BBB surveyed approximately 1,100 businesses in North America (71.4 per cent of the sample came from the United States, 28.5 per cent from Canada and 0.1 per cent from Mexico). Two-thirds of the participants were BBB Accredited Businesses, and they fared marginally better in most measures, such as awareness of specific threats and adoption of cybersecurity measures. The data was collected in an online survey with a margin of error of approximately +/- three per cent for a 95 per cent confidence interval.
The report focuses on cybersecurity effectiveness from three perspectives:
a) cybersecurity standards/frameworks
b) best practices
c) cost-benefit analysis
The State of Small Business Cybersecurity emphasizes the need not only for education and training, but for cost-benefit analysis of cybersecurity measures. The report suggests a formula created by two professors at the University of Maryland, Martin P. Loeb, PhD and Lawrence A. Gordon, PhD, to help small business owners estimate their risk from cybersecurity attacks and calculate an appropriate investment in prevention.
“It doesn’t do any good for a small business to adopt a $10,000 solution if the potential risk reduction is only worth $5,000,” said Fanelli. “We hope this report will give small business owners greater awareness of the real and the perceived risks of cyberattacks, as well as best practices for protecting against these types of security threats. We hope it serves as a step forward in advancing cybersecurity in the marketplace.”