Protecting Your Most Valuable Assets


By Bill Fanelli

Survey findings debunk myths about cybersecurity and small businesses.


In a world where cyber disasters are increasing at record speed, it’s important for businesses to protect their assets.

In a 2017 cybersecurity report by Better Business Bureau (BBB), more than half of the 1,100 small businesses surveyed reported they could remain profitable for only a month if they lost essential data. Most businesses cannot afford the significant revenue loss from being down for even just a few minutes, much less hours or days. The Ponemon Institute’s 2017 Cost of Data Breach Study estimates that each lost record in a data breach costs businesses an average of $141.

Despite the prevalence of cybersecurity breaches, BBB found in its 2017 survey that there are a number of misconceptions about cybersecurity and its impact on small businesses.

Here are three of these myths, plus some advice to mitigate the risk of a cybersecurity breach.

Myth 1: My business is too small to attack.

One of the most interesting findings from BBB’s 2017 report is that small businesses realize they are an opportunity to attackers just like large businesses. Small businesses actually overperceive their risk of being a victim and losing money in the next 12 months. The perceived risk of a loss in the next 12 months is approximately four times greater than currently reported losses in the past 12 months. Despite this motivation, small businesses have firewalls and anti-virus software in place, but often not much else.

Imagine you have a storefront. Bad guys look for any unlocked doors, and if they find one, they’ll come back and take what they want. Now apply this concept to cybersecurity. The culprits check for vulnerabilities, and then they break in and steal your data. Cyberattacks used to involve a manual process. Now they’re automated: When a robot finds your website or your email server, it doesn’t care how big or small your business is. It has a routine to find a weak spot where it can get in and take your data.

Myth 2: I can’t protect my business from a cyberattack.

Think about cybersecurity in terms of risk management. You need to have a strategy for appropriate levels of security. If we revisit the idea of having a storefront, does it matter if a kid comes in, steals a piece of bubble gum, and runs out? Maybe it matters to you, but not enough to put protection in place to prevent it from happening again. But what if someone steals a case of beer? You might be more concerned and do something about it.

It’s the same with managing risk. Every business is under threat, and every business can put protections in place. Think about the size of your business and the data involved. There are basic levels of protection that every business should have, like a firewall in your router and anti-virus software. You should also be paying attention to what you and your employees are doing — and that means training. We call it the chair-to-keyboard interface. It’s where the worst things can happen. If you get an email from someone you don’t know, and it has a link, and you click on it, bad things can happen. In over 90 percent of data breaches, the bad guy got in through a phishing email (Verizon, 2017). By far, training your staff is the most cost-effective cybersecurity investment.

Myth 3: My financial institution will cover my losses from a cyberattack.

Half the respondents to BBB’s 2017 cybersecurity survey believe a business bank account is protected like a consumer bank account. If someone breaks into your consumer checking account, the burden of proof is on the bank to show you were negligent. Generally, your bank will not be able to prove that, and the bank will replace the money. But for a business in the U.S., that’s not the case.

If a phishing attack targets the treasurer of your company and an attacker gets into the corporate bank account, a lot of money could be stolen. It’s important to understand that the business is responsible. The bank will not pay you back. Many larger companies have cybersecurity insurance so they have coverage if a breach occurs.

According to BBB’s 2016 small business cybersecurity report, small businesses lost an average of $4,400 per bank account breach. A loss like that can have a significant impact on a small business.

Mitigating Risk

Don’t wait until there’s a security breach to do something. BBB’s 2016 report shows that many small businesses should be applauded for their integrity: 80 percent of businesses said they would notify their customers or their employees of a breach, depending on what sort of data was lost. However, only 20 percent of businesses have a plan for how to do that.

Forty-eight U.S. states and three Canadian provinces have breach notification laws in addition to federal laws, and no two laws are the same. You need to figure out your communication plan before you have a breach because there usually are timelines and rules that apply, and high fines if you don’t comply.

So create a plan. Be ready if a cybersecurity breach occurs.

BBB’s 5 Steps to Better Business Cybersecurity will help you identify and protect your business’s assets and detect, respond to, and recover from a cybersecurity incident. Download this resource at


Better Business Bureau. (2016). The state of cybersecurity among small businesses in North America. Arlington, VA: Author.
Better Business Bureau. (2017). 2017 state of cybersecurity among small businesses in North America. Retrieved from
Ponemon Institute. (June 2017). 2017 Ponemon cost of data breach study. Retrieved from
Verizon. (2017). 2017 data breach investigations report. Retrieved from
Bill Fanelli is Chief Security Officer for Council of Better Business Bureaus. He leverages his 30 years of proven leadership experience in security and enterprise management to bring clarity and focus to the complex issues surrounding cybersecurity. Currently, Fanelli develops the cybersecurity policies that are followed by Better Business Bureau and disseminated to over 380,000 accredited businesses within its networks.