Why small businesses need to recalibrate their approach to cybersecurity

Overlooking cybersecurity as a small business is not just risky—it’s downright reckless.

That might seem an obvious statement. And you might assume that every business leader understands the gravity of a cyberattack.

However, recent research commissioned by IDEE suggests otherwise. We commissioned an independent survey of over 500 UK-based IT and cyber security professionals to explore this issue in greater depth – Startups Magazine covered the results here.

I’ll cut to the point. The research revealed that when compared to large companies (more than 500 employees), small businesses (less than 50 employees) are far less aware of the impact that a cybersecurity breach could have on their operations and, ultimately, the success of their business.

Here are some of the headlines at a glance:

  • 92% of respondents from large businesses said they understood the financial implications of a cyber breach, while only 73% of small business respondents said the same thing.
  • 32% of small business respondents are unaware of the reputational costs of a cyber attack, which is double the number of respondents from large businesses (16%) who said this.

Ignorance is bliss

The general lack of awareness that many small businesses have about the implications of a cyber breach is concerning. Making matters worse, it is clearly leading to a more relaxed approach to cybersecurity.

For example, the fact that human error is typically at the heart of a cyber breach is well known. However, just 36% of respondents from small businesses perceive a lack of skills and knowledge among staff to be a major challenge, and only two-fifths (41%) pinpointed human error as the greatest threat to their cyber security. Among large businesses, those figures rise to 68% and 74%, respectively.

Clearly, not only are small businesses less cognisant of the devastating consequences of an attack but that they are similarly in the dark of the relatively simple ways in which they might be breached.

Why might this paradox exist?

It is hard to be overly critical. Small businesses are typically operating with tight budgets and time constraints – startup life is hectic, and SME leaders are often juggling numerous priorities, like securing funding and building a customer base, which can push cybersecurity down their list of concerns.

Worryingly, though, there’s also a common belief that cybercriminals target larger organisations, allowing for a degree of complacency among small businesses. This is untrue.

Cybercriminals see small businesses as lucrative targets due to their perceived vulnerabilities. Research supports this notion, with findings revealing that 37% of companies hit by ransomware attacks have fewer than 100 employees. Additionally, small businesses receive the highest rate of targeted malicious emails, with 1 in 323 being affected.

Furthermore, the accessibility of pre-installed security software like Microsoft Authenticator leads many businesses to believe they're adequately protected without additional investment. According to IDEE’s research, for example, 27% of businesses using Multi-Factor-Authentication (MFA) to protect their systems do so because it came as standard from their IT providers.

The dangers of this paradox

But, relying solely on the in-built cybersecurity software that comes as standard from business technology providers is always likely to leave critical data and accounts vulnerable to exploitation. This software is usually first-generation MFA, which can only prevent password based attacks but fails to stop the most common attacks: credential phishing and AiTM attacks.

For small businesses in particular, this issue could be devastating. According to figures from last year, for example, 60% of SMEs that suffer a cyberattack go out of business within six months.

Little more needs to be said. It’s time for small businesses to recalibrate their approach to defending their cyber security.

Taking a fresh approach to cyber security

The fact of the matter is that too many people think that cyberattacks are just par for the course. That account takeover (ATO) is a fact of life. But this is so far from the truth – the technology to eliminate ATO is out there, startups and small businesses simply need to embrace it.

This means embracing cybersecurity solutions based on the principles of immutable credentials and transitive trust. These solutions ensure that access to an individual’s or business’ accounts and data can only be granted to a trusted service (i.e. a domain that has been integrated with the system) on a trusted device (which has also been registered and is verified by its TPM chip) and by a trusted user who is in control of their device (which they prove by unlocking their device with biometrics or a PIN).

In essence, it’s about adopting a proactive stance towards cybersecurity rather than reacting after an attack has occurred: prevention, not detection. By embracing these principles, small businesses can bolster their defences and protect themselves against the ever-evolving landscape of cyber threats.