4 Reasons Small Business Doesn't Invest in Cybersecurity

Cybersecurity is important for every business including small businesses. 43% of cyber attacks target small businesses.[1] Despite that, one in three small businesses with 50 or fewer employees rely on free or consumer-grade cybersecurity tools. One in five companies does not use any endpoint security whatsoever.[2] If cyberattacks are such a big threat for small businesses then what is keeping them from taking action?

Small businesses have limited staff and limited funds. Cybersecurity in general is not a requirement for small businesses, even if it was, regulators, in general, do not audit small businesses. Large companies do not always force companies in their supply chain to meet any basic cybersecurity requirements and consumers only seem to care when they are impacted by a data breach. So for many small businesses cybersecurity isn’t high on the priority list.

Small businesses don’t have the personnel to maintain a basic cybersecurity program and in general, don’t care to hire a consultant. Why? Because cybersecurity is a cost center. The money a small business injects into security doesn’t generate revenue. In a small business, it is very difficult to prove the cost savings created by cybersecurity. So if a business has a limited amount of funds then it would rather spend it on something that can generate more revenue. After all, the ultimate goal of a business is to generate as much revenue as possible with the least amount of cost.

Based on the conversations I have had with small businesses trying to meet U.S. Department of Defense cybersecurity requirements I noticed a trend where small businesses are tired of cybersecurity companies offering over-priced services that they don’t need. The cybersecurity community definitely needs to work on this because we are creating a negative image of ourselves.

Small business owners are concerned that cybersecurity controls will impact worker productivity. The fewer privileges a user has on their system the less they can do. If revoke admin rights from employees then they will need help installing software and making other changes. To a business owner, this means less productivity even though you may end up saving more time by keeping systems clear of malware.

When a layman hears the word cybersecurity they think of complex computer codes running across a screen just like they saw in a Hollywood film. They don’t immediately think about changing firewall configurations or deploying antivirus software to all of their endpoints. Because it seems complicated it seems like a big effort and is perhaps expensive. In reality, small businesses do not do much to achieve basic cyber hygiene.

1. 43% of Cyber Attacks Still Target Small Business while Ransomware Stays On the Rise

2. 60% of Small Businesses Do Not Have a Cybersecurity Policy: Survey