Survey: Why Cybersecurity is a Top Concern of D.C.-Area Small Businesses

Finger touching a pc screen. Sandy Spring Bank.

By Laura Newpoff, Contributor The Business Journals Content Studio

The massive shift to work-from-home throughout the pandemic brought with it fundamental changes to the business community’s security posture. Suddenly, employees weren’t protected by firewalls, on-site networks or antivirus software installed at the office. In many instances, they worked from personal computers at home, and the remote nature of their jobs meant nearly every function was being done online.

The abrupt shift led to massive spikes in data breaches. Cyber intelligence firm Group-IB estimated that ransomware attacks surged by more than 150% in 2020 and caused 18 days of average downtime. The average demand grew to $170,000, and high-end demands exceeded $1 million.

Correspondingly, for small businesses, there’s been a year-over-year increase in the level of concern about cybersecurity risks. In The Washington Business Journal’s third annual State of Small Business Survey, once again sponsored by Sandy Spring Bank,  small firms said cybersecurity risks are their second-biggest worry behind only the state of the economy.

According to the Sandy Spring Bank Small Business Report, cybersecurity risks and supply chain disruptions recorded a higher degree of concern vs. last year.

The purpose of the research was to understand how small businesses are faring and what they need to succeed.

For small businesses in particular, because they don’t have the financial resources large corporations have, a ransomware attack can put them out of business, said Jason McNew, senior engineer, cybersecurity risk and compliance at Appalachia Technologies LLC, a Mechanicsburg, Pennsylvania, company that services clients in Baltimore and Washington, D.C.

“Anything and everything is a target, and it’s not just large businesses the attackers go after,” McNew said. “Think of it like going into a stadium to watch a baseball game and then people come out and see that 200 car windows have been smashed. The criminals were looking for something inside every single car, and it didn’t matter what kind of car it was. Cybercriminals will go after small businesses because they are considered low-hanging fruit.”

To read more about the survey methodology and its overall results, including top challenges and investment priorities for small businesses, click here

In addition to the pandemic, there are other reasons small firms are more vulnerable to cybercrime these days, said Brian Miller, CEO and founder of FusionTek, an IT firm with offices in Washington, D.C. and Seattle. Rogue actors are developing malware and ransomware and subcontracting them out to other bad actors with whom they split the profit. “It’s become a business model,” Miller said.

Second, the attacks have become much more sophisticated and are constantly evolving. While Microsoft Windows is moving toward a “zero trust” security approach across its platforms, Miller said businesses use a variety of other platforms, which allows hackers to gain access in different ways. Zero trust is a belief that a business should not trust anything inside or outside its walls before verification.

Making cybersecurity a priority

According to the State of Small Business Survey, more small firms expect to expand investments in their business this year than last year.

According to the Sandy Spring Bank Small Business Report, over one third of respondents plan on expanding investments in their business compared to last year. Only one quarter anticipate reducing investments.

Of those planning to invest in their business, roughly four out of 10 have IT investment plans.

According to the Sandy Spring Bank Small Business Report, there was a significant increase this year among those who plan to increase their investment in environmental, social and/or governance concerns.

McNew said cybersecurity should be a top investment priority for all firms, and those that don’t embed it into their corporate culture will be at a competitive disadvantage.

“Cybersecurity is not an IT problem. Cyber is an organizational problem,” McNew said. “Any organization’s purpose is to manage risk. So, this has to come from the top down at the leadership level to say, ‘The organization is going to focus on this.’”

Miller said small firms that don’t have rigorous cybersecurity protocols may find themselves excluded from doing business with larger companies with more mature cyber practices that require their partners to have secure controls in place.

Another consideration is that cyber insurers require their customers to have certain security measures established to qualify for coverage — and increasingly, they are adding ransomware addendums to policies.

Getting started

Investing in a cybersecurity solution tailored to a company’s specific needs also will bring with it a return on investment, said Adam Darrah, director of threat intelligence services at ZeroFox in Boston.

“It might be as simple as providing training to the employee who ‘does computers’ or something more comprehensive,” Darrah said. “Imagine if you could get out in front of a threat and warn a valued customer about their identity being stolen, even though that is technically outside of your business model. The correct implementation of a tailored cybersecurity solution will add value to your brand. Customers are plugged into what's going on in the world, becoming more sophisticated and will experience the difference and reward you accordingly.”

For small firms that don’t know where to start, McNew recommends getting familiar with the National Institute of Standards and Technology’s Computer Security Resource Center. It’s the place to find a framework called “Small Business Information Security: The Fundamentals.” 

He also noted that firms should make sure they are working with qualified cybersecurity experts. While a person needs a license to cut hair or ink a tattoo, there’s no such requirement to offer cybersecurity services.

“This is every bit as complicated as being a lawyer, but you don’t have to have a government-sanctioned license,” he said. “So, the vetting process lies with the consumer.”

Once a company commits to a robust cybersecurity posture, there are five ways it can protect itself from attacks: ongoing education about how cyberattacks occur, multi-factor authentication for log-ins, ongoing employee training, proper cyber liability insurance and business continuity planning.

“Every firm has information that is sensitive,” Miller said. “Protecting that information is the best way to ensure a small business doesn’t increase the odds of reputational risk, legal risk and financial risk.”

To learn more about how Sandy Spring Bank is helping small businesses grow, click here.

Sandy Spring Bank has more than 50 locations across Maryland, Virginia and Washington, D.C.

Read more Small Business research findings. »


Laura Newpoff is a freelance writer with The Business Journals Content Studio.

Source: The Washington Business Journal’s third annual State of Small Business Survey, sponsored by Sandy Spring Bank.

The Washington Business Journal is not affiliated with Sandy Spring Bank.

This material is provided solely for educational purposes and is not intended to constitute tax, legal or accounting advice, or a recommendation for any particular transaction.

Websites not belonging to this organization are provided for information only. No endorsement is implied.