With Cybersecurity, Failure to Plan Is Planning to Fail
With all of the publicity about data breaches and threats, one would think small businesses would want to be prepared. According to recent reports from Small Business Computing.com (https://www.smallbusinesscomputing.com/news/half-of-smbs-have-no-response-plan-for-a-cyber-security-incident.html) and Insurance Journal (https://www.insurancejournal.com/news/national/2019/07/30/534161.htm) one would be wrong.
A recent ConnectWise study of over 1,000 SMB risk assessments found
- 48% have no response plan for a cybersecurity incident.
- 43% have no recovery plan for a cybersecurity incident.
- 69% have not identified and documented cybersecurity threats.
- 66% have not identified and documented cybersecurity vulnerabilities.
- 57% have not trained their users on cyber security.
- 48% have not analyzed cyber security attack targets and methods.
In a separate survey by Keeper Security, 60% of SMB senior level decision makers did not have a cyber attack prevention plan. Only 9% ranked cyber security as their top priority; 18% ranked it as their lowest priority (below a zombie attack?). Although a Ponemon Institute study found 67% of businesses were attacked within the past year (according to a Verizon report 58% of cyber attack victims were small businesses), 66% of respondents said their company was unlikely to be hit by a cyber attack. 25% don’t know where to start with cyber security, and only 37% have a dedicated IT or cybersecurity team.
Most alarming: InsuranceBee’s cyber survey reported 83% of SMBs did not have the budget to recover from a cyber attack. To put it another way, a small business has about one chance in six it will survive a cyber attack.
Faced with the lack of preparation, and even lack of knowledge about cyber security, the House of Representatives recently passed the Small Business Development Center Cyber Training Act. A companion bill is awaiting a Senate vote (hopefully it will get bipartisan support). The act would require counselors at small business development centers to be certified in cybersecurity. The House also passed the SBA Cyber Awareness Act to strengthen the Small Business Administration’s handling and reporting of cyber threats. Since Continuum’s 2019 Small Business Cyber Security Report states that 62% of SMBs do not have the skills to properly manage cyber security, more education is a must.
One step all SMBs should take is not only buying Cyber insurance, but purchasing it from an insurer that offers assistance in cyber risk assessment and loss mitigation. Right now costs are low and coverage is broad. It may be the difference between survival and failure.