Most small and midsized businesses do not have basic cybersecurity prevention measures in place and severely underestimate the likelihood of a cyberattack.
Three-quarters of small and mid-sized business decision-makers—defined as C-level executives at businesses with 3 to 249 employees—are confident in their ability to prevent cyberattacks effectively, according to the 2023 Cyber Resiliency Report by The Hanover Insurance Group. However, most businesses do not have basic cybersecurity prevention measures in place and severely underestimate the likelihood of a cyberattack.
"Amidst the digital landscape's growing complexities, this new data unveils a stark truth: businesses are at a crossroads between acknowledging the looming cyber threat and taking meaningful actions," says Eric Cernak, president of cyber at The Hanover Insurance Group. “This creates an opportunity for independent agents to talk with their customers about the importance of proactively managing cyber risk and leveraging cybersecurity services."
Most businesses face a level of cyber risk in their everyday operations, with 67% of businesses saying that they store business documents in a public cloud, 64% saying they access business email on personal devices, and 33% saying they connect business devices to public or unsecured Wi-Fi networks, according to the study.
However, only 7% of small and midsized businesses think it's very likely that their business will be impacted by a cyberattack in the next 12 months, despite the fact that half report their business, suppliers or customers were impacted by a data breach or cyberattack over the last 12 months. Also, nearly half (49%) of businesses have not conducted a business-wide cyber risk assessment within the past 12 months.
Further, most small and midsized businesses do not have fundamental cybersecurity prevention measures in place. As many as 62% of businesses do not offer cybersecurity training for all employees, 50% do not use multi-factor authentication and 62% do not use endpoint protection for devices.
And if a cyber breach occurs, the majority of small and midsized businesses are not prepared to respond. As many as 61% of businesses do not have an incident response plan and 81% do not have a post-breach response team.
“This presents an opportunity for independent agents and brokers to discuss these exposures with their customers," the report said, especially due to the disconnect between the perceived likelihood of an attack and the reality of ever-present cyber risk, as well as the absence of a recovery plan.
“For all modern businesses, consistent cybersecurity training is required to keep staff educated on the latest threats in your industry and keep everyone hyper aware of attacks that may come directly to their social media or cell phone," says Lena Taylor, vice president, cybersecurity, Vertafore. “A good rule of thumb to follow is to never trust, and to always verify."
“Understanding the situation by assessing the likelihood of the scenario is your best defense to ward off attackers," Taylor says. “By using clear, frequent, and open communication with your staff, employees will be able to recognize threats, leading to a strong security culture and transparency across the organization."
“A company's security is only as good as its weakest link," Taylor adds. “Cybersecurity works best when everyone in the organization knows they are responsible for keeping data safe."
Will Jones is IA editor-in-chief.