Investing in technology is top of mind for small business owners — with 44% saying they plan to invest in resources related to the Internet of Things, or IoT-connected devices, for their business in 2020, according to new research from the latest CNBC|SurveyMonkey Small Business Survey. That's more than twice the number who say they plan to invest in cybersecurity software (20%).
So should small business owners be doing more to make sure smart IoT technologies like thermostats, power strips and bar code readers don't get hacked as they invest in new IoT gadgets?
"They're not mutually exclusive," says David Kramer, who serves small and midsize businesses as president and CEO of Domain Consulting Group and Domain Technology Group in Reading, Pennsylvania. "If you invest in IoT, it has to have a very serious component of cybersecurity. You don't want your devices hacked or infiltrated."
Whether small business owners will act on plans to buy IoT devices remains to be seen. Although the survey found that many small business owners plan to, Dan Faggella, founder of Emerj Artificial Intelligence Research in Boston, says he believes investment in IoT is relevant for "a remarkably small number of smaller businesses.
"To be honest, a lot of this is just knickknacks and toys," he says. "It's hype-y."
Generally speaking, Faggella says, "It's safe to say that cybersecurity, in the growth of the business — whether you are fixing HVAC systems or selling knives door-to-door — is going to come first in your business strategy. Essentially, 100% of the time cybersecurity is going to come before some kind of fancy strategy for essentially any small business."
But not all small businesses have a strategy in place. The Verizon 2019 Data Breach Investigations Report found that 43% of cyberattacks target small businesses, with 52% of breaches coming from hacking.
Small businesses an easy target for hackers
One reason small business owners get caught unaware is because they don't understand why anyone would target them, given that their firms lack the deep pockets of big companies.
"Some are taking a risk, saying, 'I don't see this happening to me. I don't understand why someone would attack me,'" says Larry Goncea, senior IT consultant at Domain Technology Group. "They still don't understand the concept of the low-hanging fruit."
Others procrastinate. "Some are throwing their hands in the air and saying, 'I'll think about this later on. I don't have time for it right now,'" says Goncea.
But hackers find going after small firms very profitable and have gotten sophisticated in gathering information on companies, so they can, for instance, easily spoof an email from a vendor and ask for payment. "They go on LinkedIn and get a lot of information on their CFO or CEO," says Goncea.
Kramer says most of the calls he gets from small business owners in distress result from "social engineering," where someone tries to persuade a small business owner to move money to criminals using phishing emails or false pretenses.
"In one case, the owner instructed their CFO to move the money," Kramer says. "They did. The recipient bank knew it was an account used for fraudulent purposes."
How small businesses can protect against hacks
So what can small business owners do to protect themselves?
Shaun St. Hill, CEO of Tech & Main, an Atlanta-area technology services provider specializing in cybersecurity, says the first step is for small business owners and their advisors to perform a security risk assessment.
"Make sure you know what is going on with these devices and your network," says St. Hill. "When it comes to connected devices, you need to do network segmentation. These devices need to be on a separate local area network, or LAN. That way, those devices are not tied to your main network. It gives you another layer of protection if a hacker is trying to get into your environment."
Ideally, St. Hill recommends that small business owners get help from trusted professionals. "I'm willing to guess that if the company does have a security program or they are investing in a chief information security officer, that 20% would have been significantly higher," he says.
Some are taking a risk, saying, 'I don't see this happening to me. I don't understand why someone would attack me.' They still don't understand the concept of the low-hanging fruit.Larry Gonceasenior IT consultant at Domain Technology Group
Small business owner Rajesh Srivistava, founder of priceSeries, a Sunnyvale, California-based maker of a software that helps traders analyze and respond to the market, worked in the cybersecurity field before starting his one-man business, which has more than $1 million in annual revenue. He is a fan of using "clean pipes" technology — available from companies such as Zscaler — to remove the right of way that criminals use to gain access via a broadband network.
"You can safeguard yourself with the latest and greatest technology out there," says Svrivistava. "It's time to pay $50 and shift the responsibility off of your shoulders."
The first-quarter CNBC survey, released last week, was conducted Feb. 3–Feb. 10 and includes responses from more than 2,100 small business owners nationwide. The survey is conducted quarterly using SurveyMonkey's online platform and based on its survey methodology. To see the full results of the CNBC/SurveyMonkey Small Business Survey, click here.
