Businesses with fewer than 10 employees are less likely to have ramped up their investment in cybersecurity since pandemic lockdown orders began, according to a new report from the Cyber Readiness Institute.
A survey conducted by the institute, which focuses on cybersecurity for small and medium-size businesses, found that only 45% of business with fewer than 10 employees “increased time, money, or human capital investments as it relates to cybersecurity” since the coronavirus pandemic, while more than 80% of larger businesses had done so. Similarly, the institute found, more than half of small-business owners with more than 10 employees had increased employee cyber education since stay-at-home orders were issued, while just 22% of those under 10 employees had ramped up such training. The survey was conducted from May 24 through May 28.
“This type of survey reveals again that small businesses are struggling in cybersecurity,” says Kiersten Todt, executive director of the Cyber Readiness Institute.
As other organizations have pointed out, the coronavirus pandemic may prove to be a security challenge for many businesses. Ordinary routines and secure practices are disrupted, employees are using home computers and internet connections, and criminals are looking to capitalize on the crisis with phishing messages that pretend to be virus-related missives from businesses and government agencies.
Todt says it’s hard to know just from the survey exactly why smaller businesses seem to be lagging—whether it’s about funding, know-how, or free time. But she emphasizes that lower employee counts don’t mean lower vulnerability to digital attacks, especially without training workers in how to avoid them through good security practices.
“The best thing that small businesses can do is create policies on those issues and educate their employees,” she says.
Todt advises businesses of all sizes and their workers to take some basic steps, such as using secure virtual private network software when possible, avoiding the use of USB sticks that can carry malware, and enabling multifactor authentication to make it harder for hackers to sneak into accounts. She also reminds people working from home to remember to log out of corporate accounts when they’re done using them, especially if they’re sharing computers with the people they live with.
“You have to be really deliberate and conscious about logging out of your network before a child or a spouse jumps on a computer,” she says.
The security risks won’t immediately fade as pandemic stay-at-home orders lift: The survey found 49% of small businesses will still have at least some employees working from home even when restrictions ease, and finding ways for them to collaborate with those working on-site will add its own set of security issues. One possibility, Todt suggests, is that companies may shift funds from pre-pandemic priorities to infrastructure, such as secure software and hardware, that workers need to work safely in the new environment.
“Those may now become essential business expenses,” she says. “You might see that travel budgets start to shift to remote working.”