In February, BullGuard published research showing that one third of small and medium businesses (SMBs) use free, consumer-grade cybersecurity tools, one fifth maintain no endpoint security, and 43 percent have no cybersecurity defense plans, placing their business-critical assets at risk.
This is a critical oversight. The economic fallout from COVID-19 is a stark reminder that SMBs make up the vast majority of the nation’s businesses at the local level. According to the Small Business Administration, small businesses comprise 99.9 percent of all American businesses and employ nearly half of all American workers.
Given the sheer quantity of SMBs, their cybersecurity directly affects local resiliency in the face of cyber threats. As the economy starts to reopen and businesses find their footing in the post-quarantine world, SMBs must embrace their importance and scale up their cybersecurity appropriately.
Business Failure and Cyber Resilience
COVID-19 showed the world that widespread business failure affects communities. When businesses fail, business owners and workers can suffer heightened mental health issues and economic insecurity.
Business failure increases the demand on local government for public assistance for unemployment benefits, small business loans, and more. Businesses that survive have fewer customers, and customers have fewer dollars to spend. As a result, more businesses fail. As more businesses fail, more people suffer.
Alternatively, business success strengthens communities. Thriving businesses encouraging the creation of community identify and get involved in local events. They contribute to their localities’ long-term economic growth by increasing the tax base, providing local jobs and products, building infrastructure, and encouraging competition.
The government and major financial services players alike tout the digitization of SMBs. Increased use of information technology and digital assets offer companies new sources of revenue and growth, which companies desperately need in the midst of the current economic collapse.
Even as digitization increases, 66 percent of small-business senior decision makers believe that cyber-attacks will not affect them. However, 67 percent of businesses suffered a cyber-attack in 2019.
Since the beginning of the COVID-19 pandemic, one in seven SMBs have experienced a cyber-attack. Due to their general absence of awareness regarding best cybersecurity practices and their indifference toward the problem, small businesses have insufficient personnel dedicated to protecting their networks and their digital assets. Their staff lack necessary technical skills, and they do not have the budgets required to acquire or purchase adequate protection.
The result is a self-defeating cycle. A small business hit by a cyber-attack can fail, like the California-based Efficient Services Escrow Group, which closed and laid off all employees following a cyber heist.
When businesses fail, their employees lose their jobs and no longer have enough money to purchase goods and services from other small businesses. Those businesses lose money as a result, and their owners, stressed about their economic prospects and already apathetic toward the importance of prioritizing cybersecurity, spend less on network and digital asset protection.
The lack of proper spending and prioritization leads to worse cybersecurity practices, which in turn open the door to more cyber-attacks and more business failure.
Cyber resiliency is the ability to anticipate cyber-attacks or stresses on digital and cyber resources, withstand them, and recover from them. As cyber-attacks on SMBs systematically weaken local communities, they lose their ability to withstand and recover. This strains public resources. Taxes comprise the largest source of revenue for local governments, but when businesses fail, their tax dollars dry up. Local governments, already lacking requisite cybersecurity resources, lose their ability to secure themselves and their communities.
SMBs Must Do Better
Failure is not inevitable. SMBs can take steps to increase their cyber resilience and boost their chances of success. Owners should lead by example and pay attention to their employees’ online habits. They can demonstrate good cyber hygiene and teach their employees to do the same.
Owners should identify business-critical assets and data to prioritize their protection. They should be proactive, rather than reactive, when planning protection against cyber-attacks.
Finding online resources to boost cybersecurity is easy. Plenty of private companies publish lists of best practices. On its website, the Small Business Administration offers free access to planning tools, business assessments, cyber hygiene vulnerability scanning, and best practices.
As SMBs prioritize their time and spending during the long process of reopening, they need to take advantage of these free tools and take their cybersecurity at least one step further. Free tools can help them get started, but ultimately, they must understand their collective importance to the economy and invest in real, tailored, effective security measures.
Big businesses can recover far more easily from cyber-attacks than SMBs. Their mass failure in the event of a widespread, major attack, such as a new NotPetya, could send shockwaves through the already-unstable economy. However, the tools to improve SMB cybersecurity exist, and the problem can be solved. SMBs just need to step up before it is too late.
Jennifer Keltz earned her Master of Public Administration from Columbia University's School of International and Public Affairs in May 2020, where she studied international security policy and technology, media, and communication. Prior to graduate school, she was a Peace Corps Volunteer in Burkina Faso (2016-17) and China (2018). She earned her undergraduate degree from the University of Virginia.