America's small businesses aren't ready for a cyberattack

Small business owners consistently leave cybersecurity off their list of top risks. The level of threat is higher than they think, and customers are worried.

America's small businesses aren't ready for a cyberattack

Some of the highest profile cyberattacks on the U.S. in recent years are alleged to have originated in Russia, including the 2021 attack on the Colonial Pipeline — the largest fuel pipeline in the U.S. — the SolarWinds attack in 2020, and the 2016 hacking into the Democratic National Committee. 

Since Russia invaded Ukraine in January of this year, the U.S. government has warned of an elevated risk of a cyber attack, which Russia could use to try to draw the U.S. into a direct conflict. Despite the increased threat, small business owners are no more concerned about a potential cyber attack — and no more prepared to deal with one should it occur — than they were a year ago.

The CNBC|SurveyMonkey Small Business Survey checks in with more than 2,000 small business owners every quarter to understand their outlook on the overall business environment along with their own business's health. In the latest survey, just 5% of small business owners reported cybersecurity to be the biggest risk to their business right now. 

Quarter over quarter, the number saying cybersecurity is their top risk has held steady and is the lowest priority out of the five surveyed. In the same time period, the number of small business owners who say inflation is the biggest risk to their business has increased from 31% to 38%, holding the top spot in terms of risk. The numbers reporting supply chain disruptions and Covid-19 as the biggest risk have both declined. 

This latest round of the Small Business Survey is the first to field after the Russian invasion into Ukraine, though the international events have had no perceptible impact on small business sentiment in the U.S. 

Cybersecurity has consistently ranked as an afterthought for most small business owners when making risk assessments.

CNBC|SurveyMonkey Small Business Survey Q2 2022

While it isn't their top worry, almost four in 10 small business owners say they are very or somewhat concerned their business will be the victim of a cyber attack within the next 12 months. This trend, too, has held steady for four straight quarters, with no change at all since the Russian incursion into Ukraine. 

The smallest of small businesses are the least concerned about cyber attacks: just 33% of owners with 0-4 employees are concerned about experiencing a cyber attack within a year, compared with 61% of small business owners who have 50 or more employees. 

Few small business owners rate cyber threats at their top business risk, and fewer than half consider it to be a concern, but nevertheless a majority express confidence in their ability to respond to a cyber attack. Just as in previous quarters, about six in 10 small business owners are very or somewhat confident that they could quickly resolve a cyber attack on their business if needed. 

Cyber disconnect between business owner and customer

This general lack of concern among small business owners diverges from the sentiment among the general public. In SurveyMonkey's own polling, three quarters of Americans say they expect businesses in the U.S. to experience a major cyber attack within the next 12 months. 

Consumers' expectations for cyber-preparedness vary from industry to industry. A majority of people in the general public say they have confidence that their banks (71%), their health-care providers (64%), and their email providers (55%) are equipped to protect them from cybersecurity threats; on the other hand, just 32% expect the social media platforms they use to be prepared. 

We see similar results in the small business realm. Small business owners in the finance and insurance industries are some of the most confident that they would be able to quickly respond to a cyber attack; more than seven in 10 say they would be able to combat an attack. Among those in the arts, entertainment, and recreation industry that number falls to 50%. 

That's important, because any cyber attack – even one that is quickly resolved – can have a long-lasting negative impact on a business. Consumers would rather not be the victim of a cybersecurity attack themselves, and they are wary to trust businesses that have been compromised in the past. In SurveyMonkey's polling, 55% of people in the U.S. say they would be less likely to continue to do business with brands who are victims of a cyber attack.

For small businesses to truly be prepared, they need to take more concrete steps. Fewer than half each say they have installed antivirus or malware software, strengthened their passwords, or backed up files on an external hard drive to protect their business against potential cyberattacks. Only a third each have enabled automatic software updates or enabled multi-factor authentication. Just one quarter have installed a virtual private network (VPN). 

These are basic actions that most companies in corporate America would consider to be table stakes, but they are admittedly much more costly to implement in a small business environment. Small businesses that fail to take the cyber threat seriously risk losing customers, or much more, if a real threat emerges.