Data, cybersecurity on laptop

Small business cybersecurity risk: Cyberattacks don’t care how big your business is

When it comes to cyberattacks, the assumption is only large organizations like banks, hospital systems and multinational companies are affected. But that just isn’t the case. The pandemic forced all types of businesses to quickly move online whether or not they had the right cybersecurity in place, opening small businesses to increased risk.

In fact, the FBI’s cyber division reported a 400% increase in cyberattacks in 2020 over pre-coronavirus times, so it’s no surprise that 58% of small businesses have experienced at least one security or data breach, according to a 2021 report from the Identity Theft Resource Center (ITRC). 

And if your company doesn’t have a business continuity plan in place, any kind of breach can be costly: Nearly 45% of small businesses paid between $250,000 and $500,000 to cover the costs of the breach, while 16% spent between $500,000 and $1 million.

Just the immediate aftermath of a cyberattack can be paralyzing to a small business since their systems could be down for possibly days or even a few weeks. All of a sudden, it’s not only customers that are affected, but also employees and vendors.

Furthermore, one frightening statistic from Cybercrime magazine said that 60% of small businesses struggle to recover and have to close up shop within six months of a data breach or cyberattack.

Should the business survive, it typically takes them years to recover. The report from the ITRC said 42% needed one to two years to return to normal, and 28% needed three to five years to fully recover.

We haven’t even addressed the possibility of being sued by one of your customers for compromising their data, but that is a very real and very costly possibility.

All of that said, small businesses can avoid the bulk of these issues with proper planning.

First, a small business needs to acknowledge it could be a victim of a cyberattack. The vast majority of small businesses have no cyber liability insurance or any money set aside in case of such an attack, much less a comprehensive plan in place for how to deal with one.

Often, small businesses don’t employ an IT person or if they have, they designated someone as their technology support person who isn’t actually qualified in the first place. Sometimes, they outsource the role but don’t spend a lot of time figuring out what that third party’s responsibilities are and aren’t aware that backing up data or updating certain systems are not considered part of their purview.

So where should a small business start?

For Baker Tilly clients, we begin with a small business cybersecurity risk assessment, through which our professionals will help identify their gaps.

Gaps could be in how credit card information is stored or how intellectual property is protected. It may be related to how people log into certain systems or access files, or in how the company backs up its data or secures the systems they are using. There may be gaps in how financial information is kept or where employee records are filed.

After identifying opportunities for cyberattacks, our professionals provide recommendations to mitigate the risk in their systems and processes, prioritizing based on the client’s needs.

Beyond the assessment, our professionals can help clients outline what their business continuity plan and recovery plan should look like, including what solutions they need to put in place and what activities need to be completed in order to respond and recover from these types of incidents.

Because cyberattacks can come in all manner of forms — malware, ransomware, phishing — a business should hope for the best, but plan for the worst, and really look at every possible issue that could go wrong. When a plan is in place, they should conduct dry runs to make sure everyone knows the recovery process and should test the backup systems.

In addition to a continuity plan, a small business should obtain cybersecurity insurance. Policies can cover ransom payments, data restoration, extortion, loss of income, etc. Due to the millions in ransom paid in recent years, insurers have stepped up their expectations for customers, including requiring specific security controls be in place before they insure the company (e.g., multifactor authentication).

Still, the hope is you never have to rely on that insurance because you have identified your risk areas and put in safeguards to prevent such an attack in the first place.

For more information about Baker Tilly’s cybersecurity services, or to discuss how we may be able to assist your organization, contact us.

Brian Nichols
Advisor shares data analytics with client
Next up

Why is effective program design and execution important?