Recently, my company’s website, SmallBizDaily.com, was hacked. It would have been funny if it weren’t so serious: I headed to our home page as I do every morning, only to see Arabic text and an angry response to the “Innocence of Muslims” video that sparked protests in Egypt and Libya.
Now, my small business in Southern California has absolutely nothing to do with North Africa, Islam, terrorism or politics in general. Why were we selected as a target for this hack? I still don’t know, but I did learn from our Web host that many other websites had been hacked by the same culprit—and that most of them were small businesses. Why were small businesses chosen as targets? Because their Internet security measures are likely to be weak or nonexistent.
False Sense of Security
I’m sharing this somewhat embarrassing story to show how quickly a small-business owner’s sense of online security can be proven false. And apparently, plenty of small-business owners are suffering from a false sense of Internet security—or so found a recent study by Symantec and the National Cyber Security Alliance
that polled small businesses (250 or fewer employees) nationwide.
The study discovered small businesses are increasingly dependent on the Internet, with some 87 percent using it for daily operations. About 70 percent say they’re “somewhat” or “very” dependent on it; 66 percent say that dependence has increased in the past year.
What Security Policy?
Small businesses are also well aware of the importance of Internet security, with 73 percent saying it’s critical to their business and 77 percent saying it’s good for their brand. But here’s the shocker: 87 percent of small businesses have no formal, written Internet security policy for employees, and 69 percent don’t even have an informal
Are small businesses worried about this? Not nearly as much as they should be: 86 percent say they’re satisfied with the levels of security they have in place for employee and customer data. Maybe that’s because they’re living in a dream world: 77 percent think their company is safe, and 32 percent of those say “very safe,” from hackers, viruses or security breaches. Just 16 percent worry at all about external threats to their data or networks, and a mere 2 percent worry about internal threats such as employees accessing or stealing sensitive information.
Even if they did get hacked or suffer a data breach, 47 percent say the event would be an “isolated incident” that wouldn’t impact their business. Maybe that’s why 59 percent have no contingency plan in place for responding to or reporting a data breach such as the loss of customer or employee information, credit card or financial information or intellectual property.
Paying a Price
Clearly, there’s a huge disconnect between the reality of Internet security (which small-business owners aren’t doing much about) and small-business owners’ beliefs in how effective their actions (or non-actions) are. I’m here to say, this disconnect can cost you. Fortunately, in my company’s case, most of what it cost us was time—we don’t collect sensitive data, and nothing was compromised. But we did suffer many hours of downtime as we worked with our Web host to get to the bottom of the hack.
Most small-business owners in the Symantec study (69 percent) say they are responsible for cyber security at their businesses. If you’re as busy as my partners and I are, it’s easy to see how this issue could fall through the cracks. But you can’t afford for that to happen.
A data breach, hack or other cyber security violation could lead to multiple problems, including theft from your business bank accounts, harm to your business reputation, lost sales and lost productivity due to downtime. If customer data is compromised, you could face fines and regulatory issues, not to mention lawsuits from customers. Beyond that, there’s the loss of trust from customers and clients when they discover your business didn’t do enough to protect them. You can’t put a price on that.
The FTC has an online resource to help small businesses develop a cyber security plan.
It’s a good starting point. Whatever you do, do start somewhere. Burying your head in the sand is only putting off the inevitable.Read more about small business cyber security.