A businessman is seated at a table in front of a laptop. He is holding his hands to his mouth and he is deep in thought.
While insulating your business from cyberthreats seems expensive and daunting, simple actions, like ongoing training on best practices, help minimize your risk of being a target. — Getty Images/shapecharge

Small and medium-sized businesses (SMBs) are often unprepared for today's cyber challenges. According to the Cyber Readiness Institute's (CRI) 2024 "The State of Cyber Readiness Among Small and Medium-Sized Businesses" report, only 17% of SMB respondents consider their cybersecurity skills "effective" or "somewhat effective," while 55% view them as "ineffective" or "somewhat ineffective."

"SMBs face an uphill battle with limited budgets, expertise, and time, as well as the misconception that their size makes them unlikely targets," wrote CRI in a press release. "All contribute to the risks facing SMBs, and in turn, their customers, suppliers, and supply chain partners."

[Read more: Cybersecurity Monitoring and Alerting: How To Know If You're at Risk]

Appoint … a 'cyber leader' to act as a champion for the business. This person should be someone who has the respect of [their] fellow employees, communicates well, and can positively influence behavior.

Karen S. Evans, Managing Director of the Cyber Readiness Institute

Top obstacles and solutions to SMB cybersecurity

According to the CRI's report, there are five key reasons why SMBs struggle to implement cybersecurity strategies.

Perceived cost of cybersecurity solutions

Cybersecurity implementation costs can be a significant barrier for SMBs. Many SMBs believe the current solutions to monitor cybersecurity are either unaffordable or incompatible with their existing technologies.

However, financial incentives like tax breaks, government grants, and subsidies are available to cybersecure businesses. Some insurance companies also offer reduced premiums to organizations that have prioritized cyber readiness.

Lack of understanding of the risks

While they often recognize the general importance of cybersecurity, many SMBs don't understand the specific cyberthreats (and their resulting effects) that could affect their businesses.

"In many ways, it comes down to education and culture," said Karen S. Evans, Managing Director of the CRI. "It may seem daunting, but there are a variety of easy-to-access resources available online covering the basics of cyber readiness and helping small business owners and their employees understand — and then act — in ways to promote cultures of cyber readiness."

Competing priorities within the business

Entrepreneurs have a lot on their plates; for many, cybersecurity isn't at the top of their lists. That's why Evans suggests letting somebody else build a culture of cybersecurity for you.

"Appoint … a 'cyber leader' to act as a champion for the business," Evans said. "This person should be someone who has the respect of [their] fellow employees, communicates well, and can positively influence behavior. They create a culture of cyber readiness by periodically reminding their colleagues of just how important good cyber hygiene is to the continuing success of any business."

Lack of solutions and incentives designed for SMBs

Although cybersecurity solutions exist, they may not be practical for SMBs due to constraints like a limited workforce or prohibitive costs. There is also a lack of incentives for SMBs to prioritize cybersecurity.

Without a push from external forces, many businesses struggle to implement changes without straining resources. This reticence exposes them to threats like ransomware attacks, phishing emails, and business-compromising email attacks.

According to Evans, the CRI is calling for a "dramatic increase in the number and types of incentives supporting SMB audiences" from insurers, organizations that work with SMBs, and government agencies at all levels. Insurance providers can have a major impact if they offer incentive programs for SMBs that demonstrate cyber readiness, and Evans encouraged SMBs to proactively ask their insurers about such programs.

Lack of awareness training for employees

Many cyber incidents stem from employees' lack of awareness, whether they unknowingly encounter a phishing scam or inadvertently install malicious software. However, addressing human behavior can eliminate at least three-quarters of the causes of cyber incidents.

Focus on building awareness and developing a culture that values cybersecurity — this starts at the top. Offer training on best practices and emphasize the importance of practicing cybersecurity to your team.

[Read more: Data Provenance: The New Frontier in Cybersecurity]

Be proactive about small business cybersecurity

Don't wait until your business needs cybersecurity, said Evans. Being proactive rather than reactive can protect your business financially and your reputation.

"In some ways, cyber hygiene is no different than physical hygiene," Evans said. "Once you've made it part of your culture, part of your daily routine, or, quite simply, 'business as usual,' you’ve positioned your organization to be better protected and can then focus on what you do best."

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Published