According to Accenture, 43% of cybersecurity attacks target small businesses, yet only 14% of small businesses are prepared to defend against them. These incidents can have huge financial implications, with serious attacks routinely costing companies $200,000, according to the insurance provider Hiscox.

That’s why Pamela Gupta, founder and president of OutSecure, is committed to helping businesses and organizations understand online risks.

“Every 2.5 hours a company is hacked,” Gupta says. “Without a strategic program created to identify risk and exposure as well as a deep understanding of disruptive technology, organizations are going to have severe impact on business and society at large.”

We linked up with Gupta to discuss the five most common cybersecurity misconceptions and ways small business owners might avoid them.


Misconception #1: "My Business is Too Small to Be a Target"

In today’s cybersecurity landscape, everyone is fair game. You may not be directly targeted, but your business could be caught in the crossfire. “When perpetrators are writing scripts and programs to see what services are available on the internet where can they get a foothold into the system, they don’t care whether it belongs to Aetna — a big company — or another small business. They run automated programs to do these deductions. If they find it, they’re going to go in.”

Gupta’s Solution: “The first thing to do is to take a look at your business and see what can be monetized by a perpetrator,” Gupta says. “Whether it’s your ‘secret sauce,’ your relationships with other businesses partners, etc., what are the key points in your business that can do you harm if they fall in the wrong hands?”


Misconception #2: "IT Services Are a 'Nice-to-Have' Not a 'Need-to-Have' for My Small Business"

Small businesses with limited cash flow often prioritize everyday operations over information technology needs. But neglecting this important area leaves your business vulnerable to digital security threats.

Gupta’s Solution: “In order to avoid the pitfall of not having the right resources or skill sets, small businesses need to allocate a budget for cybersecurity and not look at it as the cost of doing business,” says Gupta. “If they want to have email, or a website — even if they’re not doing e-commerce — they have to be aware that someone can compromise their systems or their data. They should have someone in the company that owns the security function.”

[Hello Alice Guide: Information Security for Remote Teams]


Misconception #3: "My External IT Provider Has Everything Taken Care Of"

External IT providers can be convenient and cost effective, but it can be a big problem when bad actors have remote access to your systems through a third party.

Gupta’s Solution: “Different companies face different threats, and every executive seeking to mitigate their companies’ cyber risk must start by understanding the cyber threats facing their company. Have someone that can take a look, and do the assessment on if there’s a risk in the way they’re operating their business.”


Misconception #4: "My Business Is Compliant, Therefore My Business Is Secure"

You can be technically compliant but still at risk. In 2014, Target, which was PCI-compliant (Payment Card Industry Security Standards Council), experienced a massive data breach that cost the company hundreds of millions of dollars. Their CEO was even let go for the lack of risk governance.

Gupta’s Solution: “You need to create a strategy that looks beyond compliance standards to ensure you’re not at risk of a significant breach,” she says.


Misconception #5: "My Cyber Insurance Will Take Care of Any Unexpected Situations"

Cyber insurance can help pick up the cost if there’s a data breach ransom, but in order to get cyber insurance, you have to show them that you understand what the risks are in your company. Insurers will not extend your business coverage if you don't take steps to understand potential threats and do your best to protect against them.

Gupta’s Solution: “Make sure you have security in place first,” she says. “Cyber insurance is a good option, but you have to be extremely clear on what kind of insurance you’re getting, because there are a lot of caveats. For example, they will not pay if there’s an act of terrorism. Be clear on the policy's terms and conditions.”


Want more business advice like this? Subscribe to Hello Alice’s weekly newsletter to be the first to get key insights from other founders.