Some of the most high-profile cyberattacks against the United States in recent years are believed to have originated in Russia, including the 2021 attack on the Colonial Pipeline – the largest fuel pipeline in the United States – the 2020 SolarWinds attack and the 2016 hack into the Democratic National Committee.
Since Russia invaded Ukraine in January of this year, the US government has warned of a high risk of cyberattack, which Russia could use to try to draw the United States into a direct conflict. Despite the heightened threat, small business owners are no more concerned about a potential cyberattack — and no more prepared to deal with it if it does occur — than they were a year ago.
The CNBC|SurveyMonkey Small Business Survey checks in with more than 2,000 small business owners each quarter to understand their outlook on the overall business environment as well as the health of their own business. In the last surveyonly 5% of small business owners said cybersecurity was the biggest risk to their business right now.
Quarter after quarter, the number of people saying cybersecurity is their top risk has remained stable and is the lowest priority out of five respondents. Over the same period, the number of small business owners who say inflation is the biggest risk to their business has risen from 31% to 38%, taking the top spot in terms of risk. Figures pointing to supply chain disruptions and Covid-19 as the biggest risk have both declined.
This latest round of the small business survey is the first to take place after the Russian invasion of Ukraine, although international events have had no discernible impact on small business sentiment in the United States.
Cybersecurity has always been categorized as an afterthought for most small business owners when assessing risk.
CNBC|SurveyMonkey Q2 2022 Small Business Survey
Although not their main concern, nearly four in ten small business owners say they are very or somewhat worried about their business being the victim of a cyberattack in the next 12 months. This trend has also held for four consecutive quarters, with no change since the Russian incursion into Ukraine.
The smallest of small businesses are the least concerned about cyberattacks: only 33% of owners with 0-4 employees are worried about experiencing a cyberattack within a year, compared to 61% of small business owners with 50 or more employees.
Few small business owners rate cyber threats as their top business risk, and less than half consider it a concern, but nonetheless a majority express confidence in their ability to respond to a cyberattack. Similar to previous quarters, about six in 10 small business owners are very or somewhat confident that they could quickly resolve a cyberattack on their business if needed.
This general lack of concern among small business owners diverges from the sentiment of the general public. In SurveyMonkey’s own pollthree-quarters of Americans say they expect businesses in the United States to experience a major cyberattack in the next 12 months.
Consumer expectations for e-readiness vary from industry to industry. A majority of people in the general public say they are confident that their banks (71%), healthcare providers (64%) and email providers (55%) are equipped to protect them against cybersecurity threats; on the other hand, only 32% expect the social media platforms they use to be prepared.
We see similar results in the area of small businesses. Small business owners in the finance and insurance industries are among the most confident in their ability to respond quickly to a cyberattack. more than seven in 10 say they would be able to fight off an attack. Among those in the arts, entertainment and recreation industry, that number drops to 50%.
This is important because any cyberattack, even if quickly resolved, can have a lasting negative impact on a business. Consumers prefer not to fall victim to a cybersecurity attack themselves, and they are hesitant to trust companies that have been compromised in the past. In SurveyMonkey’s poll, 55% of people in the United States say they would be less likely to continue doing business with brands that suffered a cyberattack.
For small businesses to be truly prepared, they need to take more concrete steps. Less than half say they have installed anti-virus or malware software, strengthened their passwords, or backed up files to an external hard drive to protect their business from potential cyberattacks. Only a third each have enabled automatic software updates or enabled multi-factor authentication. Only a quarter have installed a virtual private network (VPN).
These are basic actions that most corporate America would consider table stakes, but they are admittedly much more expensive to implement in a small business environment. Small businesses that don’t take the cyber threat seriously risk losing customers and more if a real threat emerges.