The State of Small Business Cybersecurity in North America

Small business owners know they are at risk for cyberattacks, but they are somewhat at a loss as to what to do. That’s one of the findings of a new report from the Better Business Bureau, The State of Small Business Cybersecurity in North America, released today as part of National Cybersecurity Awareness Month. One of the more troubling findings is that half of small businesses reported they could remain profitable for only one month if they lost essential data.

“Profitability is the ultimate test of risk,” said Bill Fanelli, CISSP, chief security officer for the Council of Better Business Bureaus and one of the authors of the report. “It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident.”

“Small business owners get it,” Fanelli continued. “When we asked them about the most common cybersecurity threats – ransomware, phishing, malware – they know what’s out there, and most of them have basic protections in place. For instance, 81% use antivirus software and 76% have firewalls. But one of the most cost-effective prevention tools, employee education, is used by fewer than half of the companies we surveyed. Other prevention measures scored even lower.”

[Download a copy of the report at BBB.org/StateOfCybersecurity]

BBB surveyed approximately 1,100 businesses in North America (71.4% of the sample came from the United States, 28.5% from Canada and 0.1% from Mexico). Two-thirds of the participants were BBB Accredited Businesses, and they apparently fared marginally better in most measures, such as awareness of specific threats and adoption of cybersecurity measures. The data was collected in an online survey with a margin of error of approximately +/- 3% for a 95% confidence interval.

The report focuses on cybersecurity effectiveness from three perspectives: a) cybersecurity standards/frameworks; b) best practices; and c) cost-benefit analysis. One of the key findings is that the NIST Cybersecurity Framework, technically a voluntary standard from the National Institute for Standards and Technology, is becoming mandatory in some markets. Not only are many companies requiring it of their vendors for procurement, but many businesses are adopting it because it helps them run a better business. The NIST framework is the basis for BBB’s training program, “5 Steps to Better Business Cybersecurity” (BBB.org/cybersecurity).

The State of Small Business Cybersecurity emphasizes the need not only for education and training, but for cost-benefit analysis of cybersecurity measures. The report suggests a formula created by two professors at the University of Maryland, Martin P. Loeb, PhD and Lawrence A. Gordon, PhD, to help small business owners estimate their risk from cybersecurity attacks and calculate an appropriate investment in prevention.

“It doesn’t do any good for a small business to adopt a $10,000 solution if the potential risk reduction is only worth $5,000,” said Fanelli. “We hope this report will give small business owners greater awareness of the real and the perceived risks of cyberattacks, as well as best practices for protecting against these types of security threats. We hope it serves as a step forward in advancing cybersecurity in the marketplace.”

ADDITIONAL QUOTATIONS

“We believe the report makes a real contribution to informing small businesses on steps they can take to improve their cybersecurity. We appreciate your references to our research. We are already thinking of ways to bring this report to the attention of the entire Smith School Community.”

Martin P. Loeb, PhD

Professor of accounting and Deloitte & Touche Faculty Fellow

Robert H. Smith School of Business

University of Maryland

Lawrence A. Gordon, PhD

Ernst & Young Alumni Professor of Managerial Accounting

Robert H. Smith School of Business

University of Maryland

“With its 2017 State of Cybersecurity Report BBB has once again proven its invaluable role in helping small businesses to better appreciate the complex cyber threat environment they’re facing, along with tracking the tools and frameworks that are available to help mitigate the risk. Cybersecurity due diligence is no longer just essential for multinational companies, law firms, and governments. The small businesses that are the backbone of this county are at the front lines, and have a vital role to play in helping to promote cyber peace.”

Scott J. Shackelford, JD, PhD

Associate Professor of Business Law and Ethics

Chair, IU-Bloomington Cybersecurity Program

Indiana University Kelley School of Business

“This study provides timely and fascinating insight into the cybersecurity risks faced by small business, as well as the steps they take to mitigate these risks. Both small business owners and cybersecurity policy practitioners may find the detailed information about cybersecurity practices of small businesses incredibly useful.”

Anne E. Boustead, JD PhD

Assistant Professor

School of Government and Public Policy

University of Arizona