A Big Threat for SMBs: Why Cybersecurity is Everyone’s Responsibility


Think security is only a job for your IT team? Think again. To help your small business avoid a cyber attack-induced ending, it’s time to rethink how your entire team can protect your organization. Denise Schroeder, former VP of product innovation of Carbide, shares how.

It’s hard to go a week without learning about a new cyberattack. And while it is often the Fortune 500 companies that draw the most media attention (Marriott International, Morgan Stanley, T-Mobile, Target, and more), small businesses are under more frequent threat and have much more to lose…such as their entire business.

According to the 2022 Data Breach InvestigationsOpens a new window report from Verizon, last year, 61% of small businesses admitted they experienced a cyberattack. Figures from IBMOpens a new window show those incidents are incredibly costly for small to medium-sized businesses (SMBs), defined as having less than 500 employees. The average cost per individual incident is a whopping $3M. Unfortunately, that level of expense usually means the end of the line for many. It’s likely no coincidence that nearly 60% of small business owners believe they can resolve a cybersecurity attack. Yet, exactly 60% of them go out of business within six monthsOpens a new window of such an event.  

Those frightening statistics make it very clear that cybersecurity is a company-wide issue. It impacts everyone across every department and every element of operations. Cybersecurity is a collective responsibility. During this Cybersecurity Awareness MonthOpens a new window , let’s debunk the pervasive misconception that cybersecurity is strictly an IT issue.

To avoid becoming a statistic, SMBs need to develop a security culture that reinforces the idea that cybersecurity is the responsibility of every team member. From the founder who sets a security-focused tone to the specific teams that implement the policies, to the HR department responsible for onboarding new employees, to the IT team setting system password requirements, and to every employee that can potentially open a phishing email triggering a security incident, it’s a collective effort to stay aware. All individuals need to be trained, vigilant, and engaged. The devil is in the details, as it’s the tools, tasks, and routine activities each team member performs that will protect the company.

See More: How to Implement a Cybersecurity-First CultureOpens a new window

Making Cybersecurity a Team Goal

Here are four ways to ensure everyone in your organization understands cybersecurity is a team effort.

  1. Commit to ongoing education and awareness: Cybersecurity awareness training should not be limited to once a year! Take the time to not only educate but also train employees on the policies and procedures in place. For example, don’t rely on annual training videos that state and re-state obvious information. If cybersecurity is a priority for your organization, you want to do more than “check the box” when it comes to security training. Leverage real-life examples, games, and good old-fashioned storytelling customized to your organization, or even individual departments, to capture the attention and interest of your employees. Make helpful materials and resources easily accessible and ensure everyone on your team knows who to contact if they have questions or concerns. 
  2. Explain the “why” behind your policies and controls: Organizations often put controls in place but don’t take the time to let their employees know the controls exist or why they exist. If you want to build a culture of security advocates, bring them into the fold, articulate your reasoning, accept feedback, and showcase your security best practices. This level of open communication instills trust. Employees should never feel shy about reaching out if they have questions or concerns but rather feel like they are part of a team on the lookout for a potential incident, unusual activity, or breach. Encouraging communication and participation between colleagues and departments will ensure your assets are protected daily. 
  3. Know where your assets live and who is responsible for them: Every asset within your organization, from laptops and mobile devices to wireless printers and unused apps, can present a potential vulnerability. Therefore, every member of your organization must understand the risks and best practices required to handle data, devices, and systems securely. A great first step is to develop a map of your key data and technology assets. Identify the types of data being collected, processed, and shared as well as the systems and physical assets within your organization. After creating this asset map, ask who is responsible for the data and technology and who safeguards it. What’s required to protect it? The answers may surprise you.
  4. Consider a company-wide risk assessment: Building out a risk profile is often something SMBs are hesitant to complete in favor of “high priority” activities. It’s a little like buying life insurance, no one wants to think about it, but it’s best to be prepared for the worst-case scenario! Understanding your risk profile is a critical factor in the effort to safeguard your organization. A comprehensive risk assessment will allow you to gain a better understanding of the threats and vulnerabilities that exist specific to your organization. After all, it’s challenging to protect your business from threats you don’t know to exist! Once you identify where the vulnerabilities are – whether it’s via systems that have not been updated or uncovering recent phishing tactics – actions can be taken to address these weak points and optimize your security program throughout the organization. Most importantly, evaluating risk on a regular basis provides awareness of evolving threats and ensures it remains a company-wide initiative.

Battling Cyberthreats Together

Small businesses are the number one target for hackers, perceived as underprepared and ill-informed. The industry narrative has long been that your team is your greatest vulnerability. And while that is partly true, given a majority of breaches result from human error, the reality is that it is far more nuanced than that. 

To keep your organization out of harm’s way, focus on building security into the very DNA of your operations – don’t leave it up to your IT team alone. Instead of keeping security in a silo, empower the entire organization with knowledge and leverage employees as your first line of defense against cyber threats. It’s time to use your entire team as your company’s greatest asset in preventing cyber attacks.

How are you making cybersecurity a team effort? Tell us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .


Image Source: Shutterstock