There are a lot myths circling the drain. Many of them regarding cyber security and small businesses. Too often I hear \u201cwe are too small to get attacked\u201d or \u201cwe don\u2019t have anything they want.\u201d My favorite is \u201cwe cannot afford to dedicate resources to cyber security.\u201d A recent Ponemon study revealed 10 facts that dispel these myths and many others.1. Web servers and social engineering are your biggest threats.Web based (49 percent) and social engineering (43 percent) attacks account for over 80 percent of those experienced by small businesses. SQL injection, general malware, and compromised\/stolen devices round out the top five.2. Employees and contractors are the problem.Negligence by employees and contractors accounted for 48 percent of data breaches and third-party mistakes accounted for an additional 41 percent. On average each breach resulted in the loss of more than 5,000 individual records. To further complicate matters, the small businesses surveyed were unable to determine the root cause.3. Customer information and intellectual property are high value targets.Providing a service is not an indicator of value. After all, any person or company can provide a service. Just like any tech manufacturer can make a computer. However, how many of them provide the perceived value of Apple. Why and how you provide your service represent your intellectual property. According to Ponemon, 49 percent of SMBs worry about protecting their intellectual property. As important as that may seem preventing the loss of client information is an even higher priority. Sixty-six percent of those surveyed said protecting customer information was more important.4. Got a strong password?Proper password use and management could severely mitigate potential threats. Yet, 59 percent of small businesses lack awareness of employee password complexity practices. Implementing password complexity requirements is something you must start enforcing now!5. Policy enforcement is not an option.Sxity-five percent of those surveyed don\u2019t enforce their password policies. A policy absent enforcement is nothing more than a suggestion!6. Attacks are a cost of doing business.Attackers can and will defeat many security systems. It is a fact and once we internalize and come to grips we can develop an effective play for prevention, detection, and eradication.7. Managed service providers must be managed.Thirty-four percent of security operations are managed by third-party providers. This does not mean you can forget about these tasks. In fact, due care and due diligence require you to check the checker.8. Senior leaders must champion priorities.Thirty-five percent of those surveyed reported no one championed priorities in their organization.9. At a minimum client firewalls and anti-malware solutions are a must.If you can\u2019t do anything else implement client firewalls and anti-malware.10. Use biometrics to secure mobile devices.Passwords can become unmanageable over time. Too many passwords for too many sites and people have trouble remembering. Then they start using old passwords for multiple sites\/devices which creates more security vulnerabilities. Biometrics offer a potentially easier (for the small business) way to protect mobile devices.Still think you cannot afford to implement or upgrade your cyber strategy? If so ask yourself this question: Can you afford to lose $2 million because of an incident? That was the average cost to small business who experience a cyber incident, according to the Ponemon study.