There is no way to emphasize enough, just how important it is for small businesses to be prepared for a cyberattack. But according to a recent survey by the Wall Street Journal Pro Research of 400 companies and their security officers, many companies are not taking it seriously enough to improve their readiness and risk of exposure.
How and why these companies are ignoring the risk varies. While some are aware, they are still lacking in the actual preparation and then some are not even acknowledging the need for a cybersecurity plan, as expert Alan Levine said, they are an “ostrich” organization that is simply putting their head in the sand as if they don’t see the problem.
The WSJ survey found that these companies are concerned about these threats, but not doing anything about it. Ransomware was viewed as high risk by 80% of the participants, but less than 70% of them felt well-prepared to deal with that risk.
Risk & Awareness
Surprisingly, health care came in as one of the industries that felt strongly prepared. This may be because of an increase in awareness from news headlines and the alignment of HIPAA within these organizations. Those laws create the demand for structure and planning by associating fines with the organizations that don’t prove themselves compliant. However, the sectors of manufacturing, government, and retail were lagging in their cybersecurity programs. Fewer than two-thirds were found to have a program in place, and government entities were not often offering cybersecurity training to executives.
This raises a few red flags to those of us in the cybersecurity industry. As we well know, human error accounts for the majority of data breaches. And if the top-level individuals are not taking it seriously, how can they expect their team to? The team, which will make up the majority of the workforce and be more exposed to risk. Also, does aligning monetary fines with compliance give a business more reason to take it seriously as we see with healthcare and HIPAA? The government would likely be considered to hold one of the most valuable databases of information, yet they are underprepared according to this study. They are creating the rules for others to follow, so there is an awareness, but a lack of compliance. Is this linked to the unlikelihood of financial repercussions?
The one factor that isn’t specific to any industry is the size of the business. Small businesses are lagging behind larger companies when it comes to being prepared. This is shown in the 63% that have revenues under $50 million having a cybersecurity program, versus the 81% that have over $1 billion in revenue. This is likely a result of having a larger pool of workforce resources to staff a cybersecurity program but puts small businesses at a larger risk nonetheless. And in the current pandemic crisis, small businesses need all of the support and help that they can get to survive.