Small to medium businesses face outsized cybersecurity risk

Weak corporate governance, a marked lack of cybersecurity talent, and a lack of investment are among the biggest cybersecurity threats in 2023, according to a new study released in February.

The study by The Bipartisan Policy Center (BPC), a Washington, DC, think tank made up of a cross section of business interests, government officials, and cybersecurity advocates, identified eight major cybersecurity risks in 2023, some of which fall directly on the CFO’s desk.

The study found that many organizations lack effective cybersecurity governance and cybersecurity-dedicated positions like a chief information security officer (CISO). The problem is especially acute for small to medium-sized businesses, according to the report, and many companies have not added “cyber-savvy talent to corporate boards and senior leadership positions,” leaving many “lacking the infrastructure and expertise to counter cyberattacks adequately.”

Responding quickly to cyberattacks is critical in containing their damage, but the study also found that the disconnect between frontline cybersecurity staff and executives created by organizational bureaucracy can slow or confuse responses to cyber incidents.

The study also found that companies have also failed to adequately invest in resilience against cybersecurity disasters, creating another significant vulnerability, and face significant risk because of an ongoing failure to invest in current technology, an overreliance on outside parties, and a lack of quality data according to the BPC. Firms have not engaged in enough disaster preparedness, recovery, and business continuity planning for when a cybersecurity incident occurs, according to the BPC.

In addition, a shortage of qualified cybersecurity professionals is also posing a risk to companies.

The study also lists geopolitical instability, global economic uncertainty, confusing regulations, creaky infrastructure, and a cyber arms race as other macro cyber risks in 2023.—DA