No business is too small to be safe from cyber-attacks
Small and medium-sized business owners who feel immune to cybercrime because they are “too small” or “obscure” are being proven wrong – with potentially catastrophic effects for their companies.
Sixty-one percent of small and medium-sized businesses suffered a breach in the past year, according to the 2017 State of Cybersecurity in Small and Medium-Sized Businesses report sponsored by Keeper Security and conducted by the Ponemon Institute. Fifty-four percent reported a data breach that involved an average of more than 9,000 records containing sensitive information about customers, potential customers, or employees.
Nearly half of the attacks aimed at small companies were phishing/social engineering or web-based. Many of those unleashed frightening ransomware attacks: more than 54 percent of small businesses reported more than two ransomware incidents within 12 months, the study said.
Perhaps most alarming, many small businesses are also unprepared for the staggering costs that follow a major breach. The average price tag that small and medium-sized companies face for damage or theft of IT assets and infrastructure has exceeded $1 million, Ponemon reports. The price tag for disruption to normal operations: an average of $1.2 million.
Small companies also struggle to bounce back from the lost business and reputational harm after angry customers blame them for allowing hackers access to their information. Not surprisingly, the Securities and Exchange Commission estimates that half of the small businesses that suffer a significant cyber-attack are forced to close within six months.
Nearly half of cyber-attacks target small companies
But even though hackers have breached more than half of the 28 million small businesses in the United States, most small business owners are still not making cybersecurity a priority. Headlines filled with news of large-scale attacks against mega-sized companies like Equifax, JPMorgan, and Target have convinced them that cybercriminals are focused on grabbing copious amounts of personal data and credit card numbers at once.
Nearly 90 percent of small business owners don’t believe that they are at risk of a cyber-attack, according to a Manta Trends survey. One in three small businesses don’t even have basic tools – firewalls, spam filters, antivirus software and data encryption programs – to protect themselves, the survey reports.
Clever hackers are gleefully taking advantage of this attitude by blasting companies of less than 250 employees with nearly half of cyber-attacks – an average of 4,000 a day. The minimal funds spent on data defense and a lack of skilled cybersecurity staff make small companies a soft target for hackers to penetrate. Even more tempting, small businesses also aren’t likely to maintain resources like audit logs needed for forensic analysis and admissible evidence – decreasing the chances that hackers will be caught.
Criminals know this – and those who might shy away from attacking giants like Home Depot are setting their sights on Main Street America. The payout may not be as big, but it’s much easier work and there are plenty of credit card, customer, and employee data to steal that can be used to make purchases, take over accounts, steal identities, file for fraudulent tax refunds, commit health insurance or Medicare fraud, and more.
Ransomware: An emerging threat
The Target breach of 2013 shows that hackers have realized that small businesses can also be a golden ticket into bigger opportunities. Cybercriminals gained access to Target’s network by stealing credentials from a small HVAC vendor.
Another increasing threat comes from ransomware, as savvy hackers bank on the fact that small companies can’t afford to investigate a cyber-attack but will desperately pay ransoms that aren’t too high to regain control of their data and computer systems. While big companies can recover from losing critical data and days of operation, small businesses may suffer fatal damage. Fifty-eight percent of small business owners believe that ransomware is a serious financial threat but only half say preventing it is a priority, Ponemon reports.
“Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses,” states the SEC report. “The reason is simple: Small and midsize businesses are not just targets of cybercrime; they are its principal target.”
Outsourcing cuts costs
The federal government hopes to offer support for small companies who feel daunted by cybersecurity concerns with the Main Street Cybersecurity Act. The bill, which passed the Senate in September, would create a voluntary cybersecurity framework for small businesses.
But many small business owners say they neither have the budget nor staff to implement best cybersecurity practices. A critical shortage of cybersecurity workers nationwide makes it difficult for small companies to compete for the best employees. Seventy-three percent of small business owners report a critical lack of cybersecurity skills within their organization, and 56 percent worry that they don’t have the funds to make cybersecurity a priority, Ponemon reports.
Nearly half assert that even if they tried to protect their systems and data, they have no idea how to begin. More and more are turning to reputable cybersecurity providers to protect their businesses from cybercrimes. While this comes at a cost, the price tag is drastically less than the fallout of a data breach. Outsourcing also saves companies money, as hiring a skilled provider costs much less than hiring, training, and buying equipment for in-house employees.
Cybersecurity providers offer a range of services to fit the budget and needs of small companies, including automating security checks, providing encryption services, managing firewalls, creating incident response plans, performing risk assessments and monitoring events. They also are up-to-date on state and federal cybersecurity regulations such as the new law in New York and can help make sure companies implement any necessary policies and procedures to achieve compliance.
Perhaps most important, cybersecurity providers will train a company’s staff on digital security measures, such as creating stronger passwords and spotting suspicious communications. Fifty-four percent of small business owners said negligence by unsuspecting employees opened the door for a data breach, Ponemon reports.
Attacks against small businesses have become alarmingly frequent and sophisticated, and no company is too small or off the radar to be safe. Cybersecurity providers are trained to vigilantly monitor the latest threats and are much better equipped to shut them down than small business owners armed with antivirus software or a single IT employee. Best cybersecurity practices are not difficult to achieve and go a long way toward convincing hackers to move on to easier targets.
CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.