Less than one-fifth of finance executives at small and midsize businesses say their companies have experienced a cybersecurity attack in the last 24 months, according to a survey conducted by CFO in early February 2016. The 22% of finance executives reporting an attack is significantly less than the 42% of finance executives at larger companies who report experiencing such incidents in the last 24 months.
But cyber security is still high on the agenda for CFOs and other finance department managers at small and midsize companies (those with less than $100 million in revenue), the survey found. It is a top 10 business concern for 57.5% of respondents and the number one business concern for 4.3%.
Nearly 40% of finance executives at small and midsize businesses say they will increase their total spending on cybersecurity within the next year (another 57.2% say their total spending will remain the same as in the past 12 months), according to the survey. That 40% is somewhat less than the 62% of finance executives at larger businesses who say they will increase expenditures related to cybersecurity within the next year.
What aspect of a potential cybersecurity attack worries finance executives at small and midsize businesses the most? Theft of customers’ personal identifying information was at the top of the list, at 32.7%, followed closely by financial loss (31.4%). Reputational damage was the top worry for 26.2% of respondents. In open-ended responses, finance executives cited loss of operational data or loss of intellectual property, as well as disruption of service to customers, as other major concerns.
Many small and midsize businesses have already taken concrete steps to address those worries. About 56% of small and midsize businesses say they have conducted employee awareness training, the most commonly cited measure taken, followed closely by a new assessment of cybersecurity risk (54.4%). But only 33% have developed an incident response plan (compared with 51% of lager companies — those with more than $100 million in annual revenue).
Less common actions taken by small business finance executives are buying cyber insurance (23.9%), estimating the cost of a cyber attack (11.7%), or hiring a chief information security officer (9.1%). Given survey respondents’ worries about attack-related financial loss, the lack of activity around determining the actual costs of a cyber attack is striking.
What other steps have small and midsize companies taken to shore up cyber security? Respondents cite hiring outside firms to manage cybersecurity, encrypting databases, intrusion testing, changing operating procedures, and upgrading software solutions like firewalls.
Despite all these measures, small and midsize businesses recognize that there is still much to be done. When asked what area of cybersecurity they need to improve most, 27.6% of small business finance executives say “overall network protection”; 25.9% employee awareness; and 21.5% threat detection. Another 8.6% say their incident response plans still need work, and 7.8% cite endpoint detection of cyber threats.
So how much are these businesses budgeting for minimizing their cybersecurity risks? About 74% of respondents say they have allocated less than $50,000; 16% say they have allocated between $50,000 and $99,999; 8.3% between $100,000 and $499,999; and 1.8% say they have set aside between $500,000 and $999,999.
CFOs and other top finance executives play an important role in how all that money gets spent. About 42% say they approve the final purchase for cybersecurity products, 36% work with the information technology to select the brand solution, and 26% identify the need for such products. Surprisingly, almost one fifth (22.4%) say they are not at all involved in the cybersecurity product purchasing process.
CFOs represented 35.8% of the survey respondents from small and midsize businesses; controllers, 13.3%; owners, 10%; directors of finance, 6.2%; and vice presidents of finance, 2.2%. Thirty-eight percent of respondents have revenue of $10 million to $49.9 million; 24% have revenue of $1 million to $9.99 million; 22.2%, less than $1 million; and 16%, $50 million to $99.99 million.
Finance executives at small and midsize companies represented 233 of the total 362 respondents to the email survey conducted by CFO from February 3 to February 24, 2016. The survey did not use scientific sampling.