Small business cybersecurity risk: Cyberattacks don’t care how big your business is

When it comes to cyberattacks, the assumption is only large organizations like banks, hospital systems and multinational companies are affected. But that just isn’t the case. The pandemic forced all types of businesses to quickly move online whether or not they had the right cybersecurity in place, opening small businesses to increased risk.

In fact, the FBI’s cyber division reported a 400% increase in cyberattacks in 2020 over pre-coronavirus times, so it’s no surprise that 58% of small businesses have experienced at least one security or data breach, according to a 2021 report from the Identity Theft Resource Center (ITRC). 

And if your company doesn’t have a business continuity plan in place, any kind of breach can be costly: Nearly 45% of small businesses paid between $250,000 and $500,000 to cover the costs of the breach, while 16% spent between $500,000 and $1 million.

Just the immediate aftermath of a cyberattack can be paralyzing to a small business since their systems could be down for possibly days or even a few weeks. All of a sudden, it’s not only customers that are affected, but also employees and vendors.

Furthermore, one frightening statistic from Cybercrime magazine said that 60% of small businesses struggle to recover and have to close up shop within six months of a data breach or cyberattack.

Should the business survive, it typically takes them years to recover. The report from the ITRC said 42% needed one to two years to return to normal, and 28% needed three to five years to fully recover.

We haven’t even addressed the possibility of being sued by one of your customers for compromising their data, but that is a very real and very costly possibility.

All of that said, small businesses can avoid the bulk of these issues with proper planning.

First, a small business needs to acknowledge it could be a victim of a cyberattack. The vast majority of small businesses have no cyber liability insurance or any money set aside in case of such an attack, much less a comprehensive plan in place for how to deal with one.

Often, small businesses don’t employ an IT person or if they have, they designated someone as their technology support person who isn’t actually qualified in the first place. Sometimes, they outsource the role but don’t spend a lot of time figuring out what that third party’s responsibilities are and aren’t aware that backing up data or updating certain systems are not considered part of their purview.