Most small and medium-sized businesses across the U.S. worry about the potential financial and reputational loss resulting from cyberattacks. Yet few will invest in adequate protection measures until they have been actually attacked.
Those are among the findings of an August survey of 500 SMBs in North America commissioned by identity protection firm Okta, which noted that "many [SMBs] fail to recognize the full financial consequences of cyberattacks until they face them."
Sixty-five percent of U.S. SMBs rated the possibility of cyberattacks as a top concern. Close to 70% worried about monetary loss from a cyberattack, and 65% feared losing customer trust.
Yet only 5% of those who had never experienced a cyberattack were willing to invest $200,000 or more in cybersecurity protections. In contrast, 20% of those that had suffered an attack said they would.
That's especially glaring because the survey also reveals that only half of those firms that did experience attacks were able to recover financially or reputationally in one month or less. The others had to suffer lost business and lost trust for a longer period.
The shortfalls in protection among SMBs will become even more apparent soon as attackers ramp up their use of artificial intelligence, predicts Arnab Bose, Okta's Chief Product Officer of Workforce Identity Cloud.
"Many SMBs rely on identity via their email providers," says Bose. "In reality, cybercriminals are targeting these weaknesses. As AI-powered attacks become more sophisticated, SMBs must strengthen their identity protections to safeguard operations and, most importantly, customer trust."
Cobbling together third-party protections
As Bose states, many SMBs — in fact, 90% of U.S. survey respondents — use only the identity protections offered by their third-party email providers, such as password strength checks and single-sign-on (SSO) schemes. The survey also found that to protect their endpoint systems, SMBs often use antivirus software to screen and detect potential malware attacks.
These may have been adequate protections for a small or medium-sized business 20 years ago, but today they're hopelessly outgunned. Phishing scams have gotten much better, especially with the assistance of large-language-model AIs like ChatGPT that fix grammar and spelling errors, and most people reuse passwords already compromised in data breaches.
Traditional antivirus protection may be enough for home consumers, but polymorphic malware that rapidly changes code can easily slip by solutions that rely heavily on signature matching. Businesses, even small ones, need to use endpoint detection and response (EDR) platforms that automatically initiate incident response without having to wait for IT staff intervention.
Underpowered protections increase the risk of a successful compromise or breach, which can have a devastating impact on a business. Nearly half of SMB owners who had suffered a cyberattack reported a noticeable mental toll, not just on themselves but on their employees as well. More than 40% said that customer trust was eroded in the wake of a successful cyberattack.
"The impacts of a cyberattack on small and medium-sized businesses in the U.S. are wide-reaching, encompassing not only financial but also psychological and operational repercussions that can disrupt businesses and their workforces for months," says Bose.
Boosting SMB protections
One relatively inexpensive way to dramatically improve an SMB's security posture is to require multi-factor authentication (MFA) for all users. Depending on the form of MFA used, this can reduce or eliminate the threat of password compromise via phishing.
Furthermore, 76% of survey respondents said they felt their organizations were significantly more secure after implementing both MFA and antivirus software.
The type of MFA that is used can make a difference, with texted or emailed temporary codes the weakest option and FIDO 2.0-compliant platforms like hardware keys, device-bound passkeys or Okta's own FastPass the strongest.
Inexpensive and widely available options include smartphone app-based temporary code generators or push-notification systems offered by major office-software providers.
Creating an internal cybersecurity culture using staff training is also a must. Although 80% of SMB owners in the survey said their employees understood their companies' cybersecurity policies, and 55% said they offered staff security training, other statistics reveal a bleaker picture.
Only 32% of respondents said they offered regular updates to their training. About one in six admitted they didn't update training at all.
Further identity-related steps include incorporating biometric identifiers into MFA schemes — almost every U.S. adult now carries a smartphone with a fingerprint or face reader — and moving away from passwords entirely once multiple other verification factors are available to create a password-free MFA solution.
Another option is to use a full-fledged identity-management solution that can monitor and track user behavior, automatically challenge users with MFA requests if login contexts change, adjust systems permissions when employees move to new positions within the organization, and quickly onboard new employees and deprovision departing ones.
Doing so can be expensive, and many SMBs might not be able to spare the $200,000 that the survey uses as a benchmark for cybersecurity investments. But implementing better security measures will likely result in cheaper insurance premiums, which should offset some of the cost of the security upgrades.
"Today's business owners need a proactive and holistic approach to cybersecurity that can scale with their operational and budget needs," says Bose. "As leaders, it's essential to not only ensure robust security measures but also to empower their teams with clarity and confidence."
