- Nearly 6 in 10 small businesses report they have experienced a cyberattack.
- Attacks take companies an average of 146 days to detect.
If your favorite yoga studio or local hardware store doesn't have cybersecurity measures in place, it might be time to worry — most small businesses that have been targeted by cyberattacks don't realize it.
A survey of small-business owners by Nationwide found only 13 percent of respondents believed they had experienced a cyberattack. However, when owners were shown a list of specific examples of attacks, including phishing, viruses and ransomware, the figure of those reporting attacks increased to 58 percent.
"Although awareness is increasing, small-business owners are still not even realizing when they've been victims of cyberattacks," said Karen Johnston, technical consultant for Nationwide. "Small-business owners have a misconception that cybercriminals are only targeting large corporations, but that couldn't be further from the truth."
Phishing emails are the most common form of successful cyberattackd, according to the Better Business Bureau, which released a report Thursday on the state of cybersecurity among North American small businesses.
About a quarter of small-business respondents to BBB's survey had not heard of phishing. About a third had not heard of ransomware, and nearly half had not heard of point-of-sale malware. Point-of-sale systems were involved in three-quarters of cyberbreaches involving the hotel and restaurant industry, according to the BBB.
"Small businesses may feel like there's nothing they can do," said Michael Kaiser, executive director of the National Cyber Security Alliance. "They may also feel like they're not going to be the target of an attack because they don't have as much to protect."
Hackers may attack small businesses in order to gain access to data on customers and employees, such as credit card information and Social Security numbers, Kaiser said. Passwords and authentication data were the most common data targets in attacks on small businesses, followed by payment data, according to the BBB.
In other cases, cybercriminals may attack small businesses in order to access larger companies they do business with, Kaiser said. When hackers gained access to Target in 2013, for example, they did so through the company's HVAC vendor, Kaiser said.
Nearly 90 percent of businesses reported having put in place some cybersecurity protection, according to the BBB. The most common preventative measures taken were using antivirus protection, which 81 percent of small businesses reported using, and using a firewall.
Although small business may lack the resources and sophistication of larger companies in fending off attacks, that doesn't mean consumers are necessarily safer when they do business with large firms.
"Equifax is a perfect example of a large sophisticated business, which actually has a significant cybersecurity budget, and yet they were not able to protect themselves," said Adam Bobrow, chief executive officer of Foresight Resilience Strategies. "You can't use a company's size as an indicator of whether it's going to be cybersecure."
And small businesses aren't the only companies facing challenges in recognizing when they have been attacked. On average, companies around the world take 146 days to detect a cyberattack, according to a 2017 report by FireEye and Marsh & McLennan Companies.
Small businesses looking to boost security measures can start with free or low-cost fixes such as updating computers, initiating multifactor authentication for email accounts and providing employees with additional training, Kaiser said.
Consumers should avoid reusing passwords among multiple websites, and should instead make sure to use a long, unique password for every company they have a login with, Bobrow said. He personally uses a password manager to do so, he said.
"Reusing passwords is deadly," said Bobrow. "If someone steals your credentials from one company, they potentially have access to so many other websites and stores of information about you."
Consumers should also think twice about when they give out personal information, and whether it's truly necessary in the context at hand, Bobrow said.
"If a company asks for the last four digits of your Social Security number, ask 'do you really need that?'" he said. "You can't undo that those four digits are out there."
More from Personal Finance: