Half of Small Businesses Believe They're Not Cybercrime Targets

New SMB version of the NIST Cybersecurity Framework could help these organizations properly assess and respond to their security risks.

Steve Zurier, Contributing Writer, Dark Reading

August 24, 2018

3 Min Read

Even with increased public awareness of cybersecurity threats, small- to midsized businesses (SMBs) mostly remain behind the curve: some 51% of SMB leaders are convinced their companies are not a target for cybercrime.

Meanwhile, 76% of them say they haven't activated multifactor authentication (MFA) for their enterprise email accounts, according to a new report released today from Switchfast Technologies. 

"Frankly, we see similar numbers for MDM [mobile device management]" MFA adoption as well, says Nik Vargas, CTO for Switchfast. He says a single breach can cost a small business up to $130,000, mostly for legal work, cyber remediation, and reputational damage.

Meanwhile, the federal government is giving SMBs an assist: President Trump signed the NIST Small Business Cybersecurity Act last week, which directs NIST to develop a streamlined version of its famed Cybersecurity Framework.

"The fact that the federal government has made this a focus is a positive step," Vargas says. "Of course, one of the real dangers is that small businesses can be a launching pad for much larger attacks on government sites and the large commercial giants."

The reality of SMB security challenges for some time has been painfully obvious: a Ponemon Institute report in 2016 that found that roughly half of the nation's 30 million small businesses had been breached. And the new Switchfast report demonstrates that there's still plenty of work to do to get SMBs up to speed in securing their systems.

Daniel Eliot, director of small business education at the National Cyber Security Alliance, looks for NIST to offer a simplified version of its framework, plus some tools he can use in the NCSA’s small business workshops.

"The idea is to make security approachable to small businesspeople, not to use scare tactics," Eliot says. "I'm glad Congress recognizes the unique need of small businesses, that they typically lack the bodies or budget to do cybersecurity well."

NIST's Cybersecurity Framework provides a way for organizations to assess their security risk, and provides guidelines for  protecting, detecting and responding to cyber threats. 

Kevin Stine, chief of the applied cybersecurity division in NIST's Information Technology Lab, says NIST's work on SMB security will come from existing agency funding.

"I don't envision grants being made available to small businesses and there won't be a list of preferred products; that's not what NIST does," Stine explains. "NIST has supported small businesses since the early 2000s, so I think we can hit the ground running. Our support may not always be with documents; it may also come in the form of video clips and info graphics that will be useful to small businesses."

Bill Conner, CEO of SonicWall, says it's good news to get the feds' support for SMBs. "The government finally understands the importance of SMBs and plans to put some resources to better understand the risk factor, that SMBs really are not prepared," Conner says.  

Switchfast's Vargas says his company's focus on small businesses started with the first ransomware cases in 2013. In the past, SMB owners could pass off viruses as minor annoyances (think pop-ups) that caused computers to slow down, he says. But once ransomware hit, it became clear that companies could lose money or data - and SMBs were targets, too.

"Small business leaders have to become security champions and communicate it to the staff," he says. "They have to explain to employees that security it not just about protecting the boss's Mercedes Benz. They have to understand that their W2s or tax refunds can be stolen, so cybercrime affects them, too."

Related Content:


Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Early bird rate ends August 31. Click for more info

About the Author(s)

Steve Zurier

Contributing Writer, Dark Reading

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights