Cybersecurity is not important for small businesses - 15 Dangerous Cybersecurity Myths Day 1

Hello there. Did you know that small businesses are extremely vulnerable to attack from cybercriminals right now and that most don't survive for more than six months after a cyber incident?

John Byrne here, entrepreneur, insurance professional, online educator, and founder of Surviving Cyber. My goal is to help small business owners and managers like you get to grips with this complex subject of cyber risk.

15 Dangerous Cybersecurity Myths 

You may be struggling now, to clearly see the big picture but once you separate the myth from the truth, you can begin to significantly reduce your risk over the next 15 days through this series, I'm going to walk you through "15 Dangerous Cybersecurity Myths You Probably Believe".

I'll explain the thinking behind each myth, why it's dangerous to believe it, and the truth you need to hear so that your small business can stay safe. 

Now, before we dive in, I want to give you access to my free cyber resilience workshop. It's a 60-minute video workshop that will show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link survivingcyber.com/workshop to register now.

 Now today, as we kick off the series, we're going to explore Myth number one, "Cybersecurity is not important for small businesses". I hope you're ready to dive in. I'm John Byrne. This is "15 Dangerous Cybersecurity Myths You Probably Believe".

Myth Number 1

Welcome to Myth number one: "Cybersecurity is not important for small businesses". Now, this is something you often hear small business owners say and it's based on a misunderstanding of the risk that small businesses have.

 You often hear people say: "Cybersecurity is only a concern for big companies in high-risk sectors and my sector and the size of my company means that I'm very low risk and so I'm okay". Now, it's understandable that small business owners might think this way. But it is in fact, a large error to make.

"No one's interested in my small business, I have a low profile, and I've no valuable data. I'm not a target". So, the message here is "I have nothing to worry about because I'm small". This is a mistake in the thinking of the small business owner and the conclusion ultimately is "I have no risk, or I have very low risk and cybersecurity is not really relevant to my small business."

Now, these are opinions that I've heard in the past, from small business owners and it shows a reluctance really to engage with the topic. It's a dangerous myth to think that cybersecurity is not important for small businesses because it leads to the small businesses that are exposed to cyber risk, believing that they're not at risk, and therefore failing to take action. 

It's really a recipe for disaster. As we've seen, most small companies do not survive a cyber-attack for more than six months. So clearly, Myth number one can be very damaging to small businesses, if you believe it.

Truth Number 1

So, what is truth number one? Well, truth number one is that cybersecurity is important for all businesses, regardless of their size, and regardless of their sector. All businesses operate in the digital economy now and for many, many businesses, cyber risk is in fact, their single greatest exposure.

 And once again, a cyber-attack can kill a small business very quickly, and often in less than six months. What we're really talking about here is a catastrophic risk. A cyber-attack for a small business could be a catastrophe and it might never recover from the attack.

Do I have a cyber risk?

If this is the way that you think about cybersecurity, and if you need convincing that it's relevant to your smaller business, maybe consider the following 10 very basic questions or issues. And I think you'll realize very quickly, but there are very, very few companies who don't have any cyber risk.

So what are these 10 very basic issues? Well, the first five are employees, customers, suppliers, credit cards and online banking. Let's have a look at these in turn.

  1. If you have employees, you will have employment-related data. So that could be bank account details for salary payments. It could be tax identification numbers. You could also have medical data for your employees and some very sensitive data. So if you have employees, you have a risk.
  2. If you have customers, you have a risk. And there are no businesses that don't have customers. For customers, you'll have details of the executives of the business, you'll have bank account details, payment details, and so forth. So clearly, you have valuable data on your customers.
  3. If you have suppliers, you have the same valuable data on your suppliers, bank account details, payments, probably payments coming in going out - refunds.
  4. If you have credit cards, or you use credit cards in your business, then you will be capturing payment data, and this is high-risk data that cybersecurity criminals want to get access to.
  5. And the fifth issue is online banking. Nowadays, almost every business is using online banking in one form or another and this means you have access to the bank's online system. But it also means that you're reliant on the cybersecurity controls that you have in place to control your use of online banking.
  6. Let's look at email systems. Very few businesses don't use email and sadly, email is known as a vector, in other words, an attack mechanism for cybercriminals into small businesses. Most of the recent ransomware and phishing attacks have been launched via email. So, if you have email and you use email in your business, then you have an exposure.
  7. IT systems are ubiquitous in every business, including small businesses, so any use of IT systems means you are dependent on the controls around that IT system.
  8.  Social media is a more recent entrant into the risk vectors. Most small businesses now have a Facebook page or a YouTube channel, or some form of online presence, perhaps a LinkedIn page, and all of these present new risks for the business and new access for cybercriminals.
  9. If you trade with large companies, you become part of what's known as the supply chain for that large company and therefore they will have an interest in your cybersecurity. Most small companies are part of the supply chain of a larger company. And therefore, you will have a risk and you will be a point of entry into that large company that makes you attractive to cybersecurity criminals.
  10. And finally, GDPR evidence. One of the principles of GDPR is that you need to have a secure system for control and processing of data, of personally identifiable data and you need to be able to show that you have a valid state of cybersecurity in your small business. Since every company is responsible, and every company falls under GDPR, this is an obvious area of risk even if you're a small business.

So, these are just 10 quick considerations that should hopefully allow you to see that you most likely do have a cyber risk and there are very, very few companies who have no cyber risk. Almost every sector and almost all company sizes are at risk from cybercriminals.

Malware, in other words, malicious software, is cheap, and it's easy to deploy at scale. Small companies get caught not because they are this specific target, but because they get caught up in a net that is thrown by cybercriminals. Ransomware and Phishing attacks against small companies have grown dramatically in 2020 and then again in 2021 and so, all of this is adding to the risks that small companies are facing.

Cybercriminals know that your systems and your data are important to you. They deny you access to your systems to your data and demand a ransom. It is not that they are specifically targeting you. It's simply that you are caught up in a net. It's widely thrown, and it's very effective. So sadly, the truth is that cybersecurity is important for all businesses, regardless of the size and regardless of their sector.

Free Cyber Resilience Workshop

Thanks so much for reading today's post. I hope you found it helpful in exploding this myth and revealing the truth. Don't forget to register for the video workshop using the link survivingcyber.com/workshop. I hope to see you tomorrow as we dive deeper into "15 Dangerous Cybersecurity Myths You Probably Believe" so we can uncover the truth of how to keep your small business safe.