FedEx. Boeing. Target. When you read about cyberattacks, these are the kinds of companies that make headlines -- multinational companies with billion-dollar revenues and thousands of employees. Problem is, this news coverage makes small and midsize businesses think they're safe from cyberattacks, when the opposite is true.
Vistage recently teamed up with Cisco and the National Center for the Middle Market to determine whether small and midsize companies are prepared for a cyberattack. What our analysis uncovered wasn't reassuring: The majority (62 percent) of small and midsize businesses don't have a sufficient cybersecurity plan, and a quarter (24 percent) have experienced a cybersecurity attack in the last 12 months. On average, each cyberattack costs a small business $188,242, according to Symantec.
If you're the CEO of a small or midsize business, here are four myths about cyberattacks you should be aware of, and actions you should take to protect your company from the hackers circling it.
1. Small businesses don't offer anything of value to hackers.
Fact: Small businesses have credit card numbers, protected health information, employee data, personally identifiable information and other data that hackers can use to take out loans, steal identities, make wire transfers and complete other scams.
Take action: Perform a self-assessment (such as the NIST Cybersecurity Framework) and identify the critical assets in your company. This will help you figure out where to prioritize your areas of defense.
2. Hackers only go after large companies.
Fact: The majority of cyberattacks happen to small and midsize companies. They're attractive to hackers because they hold valuable data and can be leveraged to break into larger companies. In 2013, hackers were able to breach Target via one of the partners in their supply chain.
Take action: Educate yourself about the threats that your business is at are at risk for. Small and midsize businesses are particularly vulnerable to malware attacks, ransomware, business email compromises, supply chain hacking, remote access trojans, drive-by downloads, spyware infections and security breaches via IoT.
3. Most hackers aren't dangerous; they're just teenagers.
Fact: Hackers are sophisticated computer criminals who are constantly refining and adapting their tactics. They are organized and ruthless.
Take action: Because cyber threats are always evolving, you should review your cybersecurity plan on a regular basis -- ideally every six months -- to make sure it's robust enough and up-to-date. It's best to engage a cybersecurity expert in this process.
4. Law enforcement will protect me from a cyberattack.
Fact: Law enforcement doesn't have the time, resources or staff to protect most companies from cyberattacks.
Take action: Internal IT resources are not the equivalent of a cyber specialist. Hire a cybersecurity professional who has certifications such as Certified IS Security Specialist (CISSP), Certified IS Auditor (CISA) and Certified Ethical Hacker (CEH). In addition, make sure your company is fully compliant with cybersecurity regulations, such as NIST, PCI, SOX and HIPAA.