Biggest Cybersecurity Soft Spots for Small Businesses

If you think your business and its customer base are too small to have any information worth stealing, think again.


In a June 2016 Keeper Security/Ponemon Institute survey of 600 IT leasers at small and medium-sized businesses, more than half the respondents said they experienced security breaches within the past year. And a 2015 survey of 500 small business owners by Nationwide found that 79% had no cyberattack response plan in place, even as 63% reported being victims of a breach.


Often small business owners fail to address cybersecurity risks because they simply don't know where to begin to tackle the problems, or they assume that the solutions will be too costly, says Todd Neilson, president and general manager of Secuvant, a Salt Lake City cybersecurity firm that specializes in working with small and medium-sized businesses.


“They think it's too scary,” he says.


Getting past that fear means first understanding why small companies are vulnerable. Here's a look at three of the biggest cybersecurity risk factors for small businesses, along with some tips on how to mitigate the risks.

Not knowing what they have to lose

Many small business owners have no clear idea how much and what kind of data they have stored, or even where it's located, says John Rogers, manager of professional services at Sage Data Security in Portland, Maine.


Without a complete accounting of your company's data, you can't create the policies and the oversight required to protect it. The remedy, Rogers says, is to conduct an information inventory.


“Innumerate all the locations where data is stored,” he advises. “Look at the different devices in use in your business.”


Once you know exactly what's at risk, you can implement policies and technical tools to limit access to sensitive information.

Limited staff and budget for data protection

A small business is less likely than a larger enterprise to have a dedicated person constantly monitoring the security of its data. That makes it more difficult for small companies to stay a step ahead of cybercriminals.


Even if you can't have a full-time cybersecurity watchdog on site, you can take some basic steps to protect your data. For example, Neilson recommends checking the security features of any software program you plan to install. Ask what operating system the program uses, how often the vendor secures that system, and whether the company follows standard security practices when writing the software.


When resources are limited, it's especially important to tie whatever security devices you purchase to a careful assessment of your company's specific needs, Neilson says. He believes too many small business owners approach cybersecurity “from a tools perspective versus a business perspective.”


“They end up buying a bunch of nonessential or very expensive tools that don't lower their risk,” he says.


Perhaps the lowest-cost security measure: keeping abreast of the latest threats and sharing them with employees. For example, the FBI recently warned that businesses are increasingly falling victim to so-called CEO fraud, where cybercriminals pose via email as the company CEO and direct employees to carry out illegal wire transfers. Forewarned employees would undoubtedly think twice before following that order.

Outside access from outsourcing

“Small businesses engage third parties a lot, because they are looking to expand their abilities and don't want to pay for full-time employees,” Rogers says.


That reliance on outsourcing certain key functions of the business leaves small companies susceptible to data breaches enabled by outside connections. All vendors and contractors who will have access to your company's data should be vetted thoroughly, Rogers says. He also suggests knowing exactly how they will connect to your network and insist that they provide you with administrator accounts for whatever programs they install in your system.


While you can take steps to help shield your business' cybersecurity soft spots, you cannot eliminate your risk entirely.


“It used to be that you could roll the dice as a small business and take the chance that you're too small, you're off the radar, and you won't get hit,” Neilson says.


But with hackers now able to scan for security gaps in millions of businesses simultaneously, the chance of a small business becoming a target is rising. Becoming more aware of your risks can be the first step in creating a holistic plan to minimize those risks and any losses you might face if a cyberattack does happen.

More information

Protecting your business against cyberthreats doesn’t have to be overwhelming. Start with the simplest and most affordable tools available. And for more tips on managing cybersecurity risk, see this resource list from the U.S. Small Business Administration, and review our business-protection tips.

Disclaimer: Views expressed in this article and the third party links contained herein may not necessarily reflect those of Citizens Bank. Citizens Bank does not guarantee the accuracy of the information contained on the third party websites linked to in this article, nor do we endorse the products or services mentioned or provided on said third party websites. The information contained herein is for informational purposes only as a service to the public, and is not legal advice or a substitute for legal counsel, nor does it constitute advertising or a solicitation. You should do your own research and/or contact your own legal or tax advisor for assistance with questions you may have on the information contained herein.