25.04.2022 Hybrid work and cyber security: 4 trends among SMBs

by Katie Yahnke

How do small business owners feel about hybrid work and cyber security two years after the COVID-19 pandemic upended workplace norms?

We set out to answer this question in early 2022, commissioning OnePoll to conduct a survey, The Pros and Cons of a Hybrid Workplace. OnePoll asked 1000 respondents across the US a series of questions on hybrid work, focused on the state of their cyber security.

Here are some of the key findings.

1. Small business owners unsure about hybrid work

The results reveal that business owners have mixed feelings about hybrid work arrangements.

Most respondents—70% in total—agreed that working from home brought new business opportunities they would not have had before. The top three reported benefits of remote work are:

  1. Having flexible hours
  2. Working in a more comfortable environment
  3. Better work-life balance

However, respondents also reported being busier than ever. Nearly half agreed they wear more hats now than before the pandemic, taking on additional roles such as marketing or sales. We also asked if running their business primarily from home was more challenging than they thought it would be, and 48%—again, nearly half—agreed.

Survey respondents said their three biggest challenges have been:

  1. Business disruption
  2. Lack of marketing and exposure
  3. Privacy concerns

These mixed feelings aren’t exactly new. Studies show that on-site workers spend less time on work-related communications. They also have a shorter workday and a clearer distinction between work and home. Remote workers, however, find their teams more supportive and accepting of innovative ideas, and less “gossipy.”

Clearly, any work arrangement has advantages and disadvantages, and the right approach comes down to each person’s unique circumstances. When we asked whether they plan to keep their business in-person, remote, or hybrid, the results were fairly split:

  • 32% chose in-person
  • 29% chose remote only
  • 39% chose a hybrid mix

2. Small businesses see more cyber attacks on hybrid workplace

We asked respondents if they’d seen a change in the number of cyber attacks on their business and, if yes, whether it increased or decreased.

Almost 50% of respondents claimed to notice no change, while another 25% were unable to answer. Of those who saw a change in the number of cyber attacks, almost twice as many reported an increase than a decrease.

This data is particularly interesting as many other studies have confirmed significant increases in the number of cyber attacks since early 2020. One report found a 62% increase among smaller organizations in the UK, while another study from Canada found that the number of ransomware attacks soared 151% from 2020 to 2021. No matter industry or location, cyber attacks appear to be increasing while threat awareness is not for many smaller businesses.

There’s no debate that hybrid work introduced new cyber security vulnerabilities, including reduced network visibility, an expanded threat surface, and physical security risks.

No matter industry or location, cyber attacks appear to be increasing while threat awareness is not.

Canadian firm and Field Effect customer, Sirius Financial Services, experienced these changes. “In a flash, we went from working onsite in offices and collaborating in person with clients and business associates, to relying purely on exchanging sensitive data through emails, phone calls, and video meetings,” said Susan St. Amand, the company’s founder.

“This requires stringent cyber security controls to make a safe transition to a remote work environment and ensure communications are secure and encrypted from end to end, files can be stored safely, and confidential data remains private.”

3. Majority of respondents reportedly unaffected by cyber threats

The survey found that most small business owners are concerned about a range of cyber threats while simultaneously reporting they have been unaffected by them.

We asked respondents about their experiences with various threats, including cyber attacks such as phishing emails and vulnerabilities such as weak passwords. The results were consistent: most respondents said they were concerned about but not affected by these threats.

Table: Row Header 1 'Phishing Emails', Columns '20% affected', '56% concerned', '8% never heard of', '16% unsure' - Row Header 2 'Weak Passwords', Columns '24% affected', '55% concerned', '6% never heard of', '16% unsure' - Row Header 3 'Insecure Wi-Fi', Columns '15% affected', '56% concerned', '8% never heard of', '21% unsure' - Row Header 4 'Malware Attacks', Columns '20% affected', '55% concerned', '9% never heard of', '16% unsure' - Row Header 5 'Traffic Interception', Columns '13% affected', '48% concerned', '15% never heard of', '23% unsure' - Row Header 6 'Zero-day Exploits', Columns '11% affected', '37% concerned', '29% never heard of', '24% unsure'

That said, the sheer volume of attacks on SMBs suggests that optimism bias may play a role here.

Optimism bias is the tendency to underestimate one’s likelihood of experiencing adverse effects while overestimating the likelihood of experiencing positive ones. The prevalence of optimism bias in cyber security and its impacts is well-documented.

This is a problem because being overly optimistic about one’s level of cyber security risk and the odds of being targeted can leave businesses and individuals more vulnerable to attack.

Another curious trend centred around respondent age. While comparing responses between the younger (18–42) and older cohorts (43–67), two trends emerged:

  • Younger respondents were more likely to report being affected by various cyber threats than older respondents, averaging 22% and 8%, respectively.
  • Older respondents were more likely to report being concerned about, but not affected by, cyber threats than their younger counterparts, averaging 56% and 37%, respectively.

These results may indicate that older respondents view their cyber security more favourably than younger ones, or they have less understanding of what’s happening on their networks.

4. Cyber security education and awareness still needed

We asked respondents if they believe an incident response (IR) plan will minimize the impact of a cyber attack. Only 56% agreed with this statement, while 36% neither agreed nor disagreed and 8% of respondents disagreed.

Crunching the numbers means that over 400 respondents don’t believe that proactive planning will help them out when—not if—they’re targeted.

No one wants to experience a cyber security incident, but the unfortunate reality is it can happen to any organization, big or small. When a cyber incident occurs, time is critical. The more time an attacker has to wreak havoc in your IT environment, the greater the potential impact.

Implementing an IR plan helps organizations mitigate the frustrating delays and costly downtime caused by cyber incidents. By identifying and documenting key IR details—including assigned roles, processes, and scope—you can decrease recovery time and the associated costs of an incident.

Survey results show that this isn’t the only misconception among small business owners:

  • 14% of respondents do not view cyber security as a strategic part of their business.
  • 13% believe there is no direct tie between customer confidence and data privacy.

Based on these results, there’s still room to educate owners on cyber security and how it impacts business.

What can small businesses do about hybrid work and cyber security?

The idea that small businesses are rarely or never targeted is one of the most harmful myths in cyber security.

Matt Holland, Field Effect’s Founder and CEO, explained this in a recent podcast. “Smaller companies are often more appealing targets for cyber attacks because they have the same assets as large enterprises but lack the resources to protect them,” he said. It’s true—smaller businesses might struggle to afford the tools big corporations use to protect their similar infrastructure.

The idea that small businesses are rarely or never targeted is one of the most harmful myths in cyber security.

For André Martin, Co-Managing Partner at Mann Lawyers LLP, the new risks from hybrid work increased his team’s need for strong cyber security. “Enabling a hybrid work environment brings security risks,” he said. “Because of this, we have been especially vigilant about best security practices and proactive defence measures.”

SMBs looking to take a more proactive approach towards their own security should prioritize reducing their threat surface. Attackers look for quick wins; they want to put in the minimum effort and get the maximum return. SMBs want to make attacking their business time- and resource-consuming, so the cyber criminal sees it as a poor “investment.”

Another essential step is to improve visibility so that when suspicious activity occurs, you can detect it. Hybrid work environments cannot rely on network monitoring alone, so endpoint and cloud protection are vital. Covalence combines network, endpoint, and cloud security to keep businesses safe from the widest range of cyber attacks and vulnerabilities.

Want to learn more about cyber security, hybrid work, and optimism bias among small businesses? Get your free copy of the white paper now.

Author

Katie Yahnke

 

Request Demo

Fill out the form and we will send you details about our demo.