The most recent Principal Financial Wellbeing Index found that more than 1 in 4 businesses surveyed experienced a cybersecurity attack in 2021 and among those attacks, more than half were successful.

In about one-third of the attacks, ransomware was involved and hackers were able to access confidential data. The businesses’ systems were rendered unusable in 43% of the attacks.

Businesses are becoming more aware that cybersecurity is an issue that needs ongoing attention, the index showed. More than half of those surveyed said they are spending “a little more” or “significantly more” on cybersecurity measures, and 43% are spending the same amount.

Principal hosted a webinar on Feb. 3 to further discuss the implications of the index’s results for small to medium-sized businesses and ways to best protect themselves.

Meg Anderson, vice president and chief information security officer at Principal, and Karen Evans, managing director of the Cyber Readiness Institute, participated in the webinar as panelists.

Here are key takeaways and quotes from Anderson and Evan’s answers:

What are we seeing happening right now in the cybersecurity space for small businesses?
Anderson said 2022 will likely be “another eventful year” for cyberthreats with ransomware and effects of attacks on third-party suppliers being the two main ones for small businesses to watch. Evans said what businesses are currently experiencing is evidence of the threat landscape evolving.

“[Principal’s] findings bear out that that shift that we’re seeing in that threat landscape, and a lot of this is really directly related to, I believe, the change in the work environment, the school environment, small business overall, due to the pandemic, and everyone has become very flexible, which means that all of us have thought more about that balance of how do you build that balance between [having all people and services] online against the risk.”

What can employers do to best educate their employees so that they aren’t adding to the level of risk that exists already?
Evans said to focus on the four basic cyber hygiene areas: strong passwords, multifactor authentication, updating systems regularly and phishing. Anderson recommends making cybersecurity education and trainings fun and engaging for employees and to bring in guest speakers to learn from other companies. For engaging employees and continuously managing cyber risks, it’s important to create a culture around cybersecurity so employees start to think about how it relates to every part of the business, Evans added.

What are the cyber readiness implications of hybrid and remote work?
Anderson said “if you haven’t planned strategically for how hybrid work or work from home is going to work for your business, now is the time” and offered three suggestions, including ongoing education of staff.

“[First is] access to your information; do the right people have access to the right things? And are you appropriately restricting access to people who don’t need it? Because when a fraudster gets credentials, or gets access, they do it typically through a person,” she said. “The second thing is making sure all of your information is protected in your applications, and many companies are using cloud-based applications. So understanding how is the cloud company providing the service of that application, protecting your data? Do you understand that? Is it time to maybe check the configurations or have a meeting with that third party?”

The Cyber Readiness Institute offers free programs and tools for businesses, including the Cyber Readiness Starter Kit, the Cyber Readiness Program and the Cyber Leader Program. More information is available at Principal’s report on the findings from the Wellbeing Index can be found at this link.