The 3 Big Cyber Mistakes that Most Small Businesses Make

You may have heard that cybercrime is growing rapidly today. In fact, worldwide, cybercrime is expected to reach $6 trillion in 2021 with a cyber-attack taking place every 39 seconds. You may not know that there are three big mistakes that most small businesses make with cyber risk. The good news is that avoiding these mistakes is not difficult, and it will materially improve the risk level in your small business. In this short article, I'll explain the three mistakes and walk you through how you can avoid them in your small business. 

John Byrne here, entrepreneur, insurance professional, online educator and founder of Surviving Cyber. My goal is to help small business owners and managers get to grips with the complex subject of cyber risk. Small businesses are extremely vulnerable to attack from cybercriminals right now. They're the “low hanging fruit” because they lack the understanding of this complex subject and lack resources to deal with it. Sadly, most small businesses don't survive for more than six months after a cyber incident. However, this doesn't need to be the fate of your small business. 

Now, before we dive in, I want to give you access to my free Cyber Resilience Workshop. It's a 60-minute video workshop that'll show you how to create your first survival plan for your small business in 30 days. It's full of practical tips that you can implement. If you don't already have access, use the link to register now.   

Mistake Number 1: The Wrong Mindset 

Now let's dive in with mistake number one: The Wrong Mindset. Most small businesses have a scarcity mindset when it comes to cyber risk. They see it as a complicated problem that's beyond their control and not as a business risk that needs to be managed like any other. They feel overwhelmed by the complexity of the challenge and as a result, they end up failing to take action sometimes until it's too late. 

While this is an understandable reaction, it leaves small businesses critically exposed to cybercriminals. What the small business owners and managers perhaps fail to realize is that the business environment has fundamentally changed in recent years. 

Digital Transformation of business has happened very quickly. And it's seen in the dramatic growth in the use of mobile technology, greatly increased online trading, the use of social media by businesses, and the move from on-premises systems and IT to in the cloud or cloud-based systems and software. And these are just a few trends that we could mention for the digital transformation of our businesses. 

Also, the legal and regulatory environment has changed dramatically with the introduction of the GDPR in the European Union in 2018. Concerns around data privacy and data security are real issues now for every business regardless of their size, and the expectations of all stakeholders have risen. Big companies are increasingly requiring their small company suppliers to meet minimum cybersecurity standards if they wish to remain in the big company's supply chain. 

Cyber Risk is everyone's reality. This was true before COVID-19 struck in 2020. But now, hybrid working and doing business online is an everyday reality for all businesses and inevitably, cyber incidents against small companies have risen. They've become far more frequent and far more severe. Ransomware, which the FBI estimates tripled in 2020, has been used by cybercriminals to target small businesses. 

In contrast to a scarcity mindset, a growth mindset recognizes that every business is now a digital business and that cyber risk is just one side of the coin - with digital opportunity being the other side. 

Without ignoring the problems, a growth mindset recognizes that there are big advantages available for businesses that “up their cyber game”, so to speak. Becoming a cyber-resilient business helps build trust with all your stakeholders including your customers, your suppliers, your employees. and your shareholders. 

Being able to show progress toward cyber resilience has become important for all small businesses, and it will increasingly be seen as a competitive strength as minimum standards in this area increase. 

So, adopting the right mindset, that is, a growth mindset, is the answer to mistake number one of small businesses. 

Mistake Number 2: No Strategy for Cyber Risk

 Mistake number two is having no strategy for cyber risk. Most small businesses have no strategy to manage cyber risk. In effect, this means that all actions are ad hoc, and there's no “joined-up” plan. It also means that these businesses are less likely to survive a cyber incident. Often, lack of a strategy means that cybersecurity is seen as just the responsibility of the "IT guy", rather than a critical risk and a boardroom issue. 

A cyber strategy should be simple to understand and straightforward to implement. If the plan isn't understood by the people who need to implement it, failure is almost guaranteed. There are several national and international cybersecurity frameworks to choose from, with varying levels of complexity. And these include the cybersecurity framework of the National Institute of Standards and Technology, or NIST, in the United States. 

My "Five Steps to Cyber Resilience" is a simple strategy for the cyber risk management of small companies. I believe that it's suitable for small businesses that are new to cyber risk, and that want to make a start on their journey to resilience. The five steps of my framework are shown below and I'll explain them briefly: 

1.   Assess

2.   Reduce

3.   Transfer

4.   Respond and

5.   Report 

In Step one, "Assess", we begin by identifying the key information assets of the business and assessing the risk to which the assets are exposed.

In Step two, "Reduce", we reduce the risk by implementing controls wherever possible.

In Step three, "Transfer", we decide to either retain the risk or to transfer the risk to an insurance company through cyber insurance.

In Step four, "Respond", we establish our response plan, and our response capability for a cyber incident - one that that incident is almost inevitable someday.

And in Step five, "Report", we set up cyber risk reporting for the Board of Directors or our management team. 

This five-step framework is an easy strategy to understand, and it's straightforward to implement. Adopting this strategy is an answer to Mistake number two of small businesses. 

Mistake Number 3: No Tactical Plan to Implement 

And that leads us to mistake number three: No tactical plan to implement. Most small businesses don't have a tactical plan to implement for cyber risk. They use ad-hoc responses to events as they happen. This is reactive and not proactive. Examples could include a decision to implement two-factor authentication, following a phishing attempt, or to update the antivirus or anti-malware defences after contracting a virus through the company's email system.  

Where small businesses are taking ad-hoc action, the tactics used won't be coordinated, and they won't always be focused on the essential things, that is, those that are within their ability to control. 

The ad-hoc tactics are also likely to focus heavily on technology risk to the exclusion of the other two pillars of cyber risk people and governance. Experts estimate that approximately 90% of cyber breaches involve human behaviour. So, failing to provide a staff training and awareness program leaves your small business exposed to people risk.  

Similarly, if you have weak governance or no governance over cyber risks from the Board of Directors down through the organization, that will leave your small business exposed to risk. Examples could include having no cyber strategy, no policies and procedures, no board reporting and no incident response plan. 

Implementing a strategy such as the “Five Steps to Cyber Resilience” leads naturally to having a tactical plan to implement in a small business, and it addresses Mistake number three. 


I hope I've shown you that small businesses are under attack from cybercriminals and that the consequences of being a victim are potentially catastrophic. There are three big mistakes that small businesses could make but this doesn't have to be the case. The mistakes are easily avoided. Having the right mindset, having a simple strategy, and a clear tactical plan focused on the things that are within your ability to control. That's the way forward.  

Thanks so much for joining me and reading today's post. I hope you found it helpful. Don't forget to register now for the video workshop using the link I hope you'll join me in another article soon.