“The typical cyber-criminal is rather like your common thief: he will go for the window without security locks. There is a high element of opportunism.” - Thomas Naylor
It’s tempting to think that hackers focus their attention on Fortune 500 companies, government institutions and banks. However, with almost half of cyberattacks focused on small businesses, it’s clear that those folks have lulled themselves into a false sense of security.
Ask any Managed IT Services provider who provides tech support for hundreds of small businesses, and they will tell you the number of security breaches is definitely on the rise. Many have not put the proper security precautions in place, often due to perceived cost.
Numerous studies published in recent years reveal sobering, if not chilling, statistics around cybersecurity threats. For starters, one report asserts that the global cost of cyber crime is set to hit $6 trillion by 2021. According to Verizon’s 2020 Data Breach Investigations Report, 43% of cyberattacks targeted small businesses.
The recent COVID-19 pandemic has only increased these attacks. Nearly 40% of small business owners believe they have been targeted with malicious coronavirus spam emails, according to an IBM Security study.
The figures are as surprising as they are alarming. Why the interest in smaller companies? What could they possibly have to offer hackers?
Small Businesses Are Stepping-Stones
In 2013, Target was hacked and the credit and debit card details of approximately 40 million customers were stolen. The incident was one of the biggest data breaches to happen to a US retailer in the history of cybercrime.
With a total equity of approximately $11.3 billion, and with 360,000 employees, the retailer is not a small business.
What makes it relevant to this article is that the now-convicted hacker accessed the retailer’s network by hacking an HVAC small business and stealing the details it used to access the Target network.
This illustrates one of the reasons hackers target small businesses – they often are stepping-stones to bigger businesses, some of which may be Fortune 500 companies.
Small Businesses Are Soft Targets
There’s no doubt that many hackers dream of pulling off something much bigger than the 2013 Target hack. Whatever their hopes and dreams are, they also know that big companies are not only cybersecurity conscious, they have the resources to ensure they are protected.
Those same hackers also know that many small businesses are soft targets. Smaller companies generally do not have the knowledge or the resources to protect their data, which can come in handy to cybercriminals.
An example of this occurred in 2009, when hackers stole $588,000 from the bank account of Patco Construction, a family-owned company based in Sanford, Maine.
What can make it easier for hackers to access that data is that numerous smaller companies use cloud services for their online business; and unfortunately, not all cloud services use encryption services to protect data.
Small Businesses and Spear Phishing
Given the lack of technical know-how that is characteristic of many small businesses, it’s not surprising that they are easy targets for spear phishing.
This fraudulent practice usually sees cybercriminals sending emails that claim to be from someone else – usually someone the recipient knows and trusts. The emails usually include an attempt to get the recipient to reveal personal or other sensitive information.
Hackers may be able to use that information to hack the company’s network or the recipient’s online banking profile. Considering the amount of personal information people reveal through quizzes on Facebook, and how accessible many people’s profiles are, it can be easy for cybercriminals to masquerade as someone known to the recipient of a spear phishing email.
Small Businesses and Personal Details
While the HVAC company hack in 2013 was all about getting into the Target network in order to steal the credit and debit card information of millions of customers, not all small business hacks have such big targets as a goal.
Even smaller companies have sensitive data that hackers can use in different ways.
For example, almost every small business keeps various employee details on file. Such details may include identification data, social security numbers, debit/credit card numbers, bank details, and health records.
Some hackers have no use for such information themselves, but they are happy to sell it to third parties.
The Lack of Digital Defense
If a greater number of small business owners and decision makers were aware of the statistics and examples of hacking incidents, there would probably be more than 14% of them ready to defend themselves against cyberattacks.
Keeper Security’s 2019 SMB Cyberthreat Study found that as many as 66% of decision makers did not think their companies were at risk of being targeted by hackers.
Instead, smaller companies continue to face an onslaught of attempted and successful hacks, with as many as 4 in 10 experiencing more than one incident.
What makes this all the more sobering is that, on average, cyberattacks such as hacks are not noticed for 100 days or more from the time they start.
This is not surprising, considering that the same study found that 6 in 10 businesses and their decision makers did not have a cybersecurity plan in place.
The Cost Can Be Considerable
For a small business, the cost of being hacked goes far beyond any money hackers steal from their bank accounts.
There also are the costs of getting professionals to sort out the security breach, and there is the cost of the delay in operations.
Malwarebytes found that, in 2017, approximately a quarter of smaller businesses were forced to stop operations completely due to ransomware attacks.
The high cost of the clean-up, as well as the loss of revenue, means that as many as 60% such businesses close for good.
What Can Be Done To Prevent Cyber Attacks?
There are various strategies that small businesses can implement to combat the threat posed by hackers. These include:
- Ensure all employees are trained with regard to cybersecurity
- Make sure firewall and anti-virus software is updated regularly
- Use data encryption tools like VPNs
- Regularly scan devices that are connected to networks or computer systems
- Forbid employees from using removable media such as USB drives on company computers.
- Limit employees’ access to files that are not required in the performance of their assigned tasks
It’s clear that hackers don’t just go after a business based on its size. Small businesses are targeted for good reason, and it’s up to owners to think big and put safety measures in place that will stop cyberthreats in their tracks.
To learn more about your Managed Security Services options, download our Cyber Security Solutions Overview which will provide you with an overview of key security services that you should be considering.