It is believed that some of the most popular cyberattacks on the US in recent years have emerged in Russia, including the 2021 attack on the colonial pipeline – the largest fuel pipeline in the US – the SolarWinds attack in 2020 and the 2016 hacking of the Democratic National Committee.
After Russia invaded Ukraine in January this year, the U.S. government is warning of an increased risk of cyberattacks that Russia could use to try to drag the U.S. into direct conflict. Despite the growing threat, small business owners are no more concerned about a potential cyber attack – and no more willing to fight it if it happens – than a year ago.
CNBC | SurveyMonkey Small Business Survey each quarter surveys more than 2,000 small business owners to understand their views on the overall business environment as well as the health of their own business. In a recent survey, only 5% of small business owners said cybersecurity is now the biggest risk to their business.
From quarter to quarter, the number of those who say cybersecurity is their main risk remains stable and is the lowest priority of the five respondents. Over the same period, the number of small business owners who say inflation is the biggest risk for their business has increased from 31% to 38%, ranking first in terms of risk. Figures reporting supply chain disruptions and Covid-19 as the highest risk have declined.
This latest round of small business polls is the first since Russia’s invasion of Ukraine, although international developments have not had a significant impact on US business sentiment.
Cybersecurity is invariably seen as a last resort for most small business owners when assessing risks.
CNBC | SurveyMonkey Small Business Survey for the second quarter of 2022
While this is not their main concern, nearly four out of 10 small business owners say they are very or slightly concerned that their business will fall victim to a cyber attack over the next 12 months. This trend has also continued for four consecutive quarters, unchanged at all since the Russian invasion of Ukraine.
Small businesses are the least concerned about cyberattacks: only 33% of owners with 0-4 employees are concerned about cyberattacks during the year, compared to 61% of small business owners with 50 or more employees.
Few small business owners assess cyber threats as the greatest risk to business, and less than half consider it a problem, but nonetheless, most express confidence in their ability to respond to cyber attacks. As in previous quarters, about six out of 10 small business owners are very or somewhat confident that they can quickly eliminate cyber attacks on their business if needed.
Cyber-gap between business owner and customer
This general lack of concern among small business owners differs from the mood in the general public. In a SurveyMonkey poll, three-quarters of Americans say they expect businesses in the U.S. to experience a major cyber attack over the next 12 months.
Consumer expectations regarding cyber readiness vary from industry to industry. Most people in the general public say they are confident that their banks (71%), their healthcare professionals (64%) and their email providers (55%) are able to protect them from cybersecurity threats; on the other hand, only 32% expect the social networking platforms they use to be prepared.
We see similar results in small business. Small business owners in the financial and insurance sectors are some of the most confident that they will be able to respond quickly to cyberattacks; more than seven out of 10 say they will be able to fight the attack. Among workers in the arts, entertainment and recreation industry, this figure falls to 50%.
This is important because any cyber attack – even a quick one – can have a lasting negative impact on business. Consumers do not want to fall victim to cybersecurity attacks themselves, and they are afraid to trust businesses that have been compromised in the past. In a SurveyMonkey poll, 55% of people in the U.S. say they are less likely to continue doing business with brands that have fallen victim to cyberattacks.
For small businesses to be truly ready, they need to take more concrete steps. Less than half of each claim to have installed antivirus or malware, strengthened their passwords, or backed up files to an external hard drive to protect their business from potential cyberattacks. Only a third of each involved automatic software updates or multi-factor authentication. Only a quarter have installed a virtual private network (VPN).
These are key actions that most companies in corporate America would view as a bet, but admittedly they are much more expensive to implement in a small business environment. Small businesses that don’t take the cyber threat seriously are at risk of losing customers or more if there is a real threat.