SMB Owners Lax About IoT Security Risk

For smaller firms, the IoT has its lures and its dangers.

The Nationwide fourth annual business owner survey released at the end of last month, which surveyed 1,000 small and mid-sized business owners about their views on cybersecurity, found that an overwhelming majority – 91 percent – use connected technology. But 48 percent of those surveyed are “unconcerned” that devices – ranging from sensors to drones and used across any number of verticals – may boost their likelihood of cyberattacks.

Amid the increased vulnerability, and dismissal of it, in an interview with PYMNTS conducted via written response, Tim Nunziata, director of E&S Specialty at Nationwide, acknowledged that “the appeal of this technology is efficiency … It also creates a greater ease of doing business through 24-hour monitoring and access to real-time data that’s centralized on a server. Automation also provides the ability to aggregate data. That means multiple people aren’t reading monitors and sensors trying to make sense of it.”

Amid the streamlining there also lies risk. Nunziata said that the same technologies that report back to a server render firms vulnerable to hackers as they offer up more points of access.

Consider the melding of the old and the new – drones used in agriculture, as illustrated by Nunziata. The American Farm Bureau has estimated that roughly 75 percent of commercial farmers have IoT technologies in place, but less than 5 percent have plans in place to deal with breaches. And the farmer who uses drones to help monitor operations – yet may not be able (or might not know how) to take steps needed to secure his or her server – is rendered vulnerable.

The Vulnerabilities of Retail (and Other Sectors)

And of course, said Nunziata, “when we think about retail businesses, the point of sale is always a concern.” Despite the advent of chip technology in credit cards, which has improved security, bad actors continually look to circumvent systems in place. And as Nunziata noted, the aforementioned connectivity means that “outside of a malicious attack on a corporation or individual, targeted attacks on a specific person or company are becoming less common. What’s more common is a broader cyberattack that is inclusive of multiple firms or individuals … Those attacks can completely wipe out a small company.”

In addition to scrambling to deal with the fallout of compromised data, SMB owners can also be left vulnerable to ransomware demands.

“Nationwide’s survey also found that one-third of cyberattacks cost business owners $50,000 or more to recover from, and nearly half (45 percent) report spending three months to five years to resume normalcy,” said Nunziata.

His comments come against a backdrop where the warnings of IoT vulnerability come from other observers. This week, data from a Princeton University study showed that hackers were able to take control of washing machines, air conditioners and other connected devices and manipulate power demand across the grid, causing blackouts.

Nunziata told PYMNTS that in analyzing access points left exposed in hardware, “if businesses can think about data through the lens of segmentation, you can mitigate impact before an attack happens. For example, if your home was burglarized, just because thieves get in the front door doesn’t mean they should be able to access every room inside the house. Firewalls and added protection on health records, for example, are a way to further segment and limit the information” that is exposed.

Easier said than done, perhaps, as the Nationwide survey also found that 65 percent of SMBs do not have a dedicated employee or vendor in place to monitor cyberattacks.

“It’s also hard to protect against what you don’t understand,” said Nunziata, who noted that SMB owners exhibit a 41-percentage-point awareness gap of the definition of a cyberattack. Roughly 9 percent of respondents said their business was a cyberattack victim when asked directly, yet when given a list of cyberattacks to choose from, that number jumped to 50 percent.

“Business owners often focus more on implementing technology and the effect that streamlining business processes can have on their bottom line, without taking the steps necessary to secure their system,” he told PYMNTS.