Small businesses have become bigger targets for cyber criminals over the last several years. Their networks are less secure than larger companies and are easier to penetrate. According to recent reports, small businesses are three times more vulnerable to cyber threats than large corporations.
Many companies fail to take appropriate steps to prevent a breach because it’s hard to evaluate the return on investment when you don’t know the costs of a hack until one has occurred. Regular headlines about recent large-scale attacks reinforce the assumption that data breaches are a concern for a large organization. Perhaps with the focus on large organizations, business owners try to reassure themselves by thinking, “I’m too small. Why would anyone come for me when the big guys are the target?”
Business owners need to understand the seriousness of this issue. Cyber attacks on small businesses are not limited to ransomware, data breaches, or malware. They include security, privacy, and operational risks as well. Moreover, 50-70% of ransomware attacks happen to small- and medium-sized businesses (SMBs), where cyber criminals use malware to take control of files and data, encrypt it, and hold it hostage until business owners make a payment to release it.
Especially now, because of changes in the business world and how we work, hackers are doing their best to take full advantage of out-of-date VPNs and unsecured home networks. In 2021, cloud security company Barracuda Networks analyzed millions of emails across various companies. According to their research and analysis, an employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.
Why Small Businesses?
Many small businesses struggle to protect their technology assets because of small or inexperienced IT staff, limited budgets, or believing that it won’t happen to them.
Small businesses simply don’t have enough resources to protect themselves against the growing threats like big companies. Large corporations have both time and money to invest in securing their data and assets. Unfortunately, cybercriminals know this and focus on crushing multiple small businesses rather than wasting their time and energy on one big corporation.
Another reason cyber criminals target multiple small businesses and individuals rather than one big firm is the threat to their security. There’s less risk of getting tracked down or caught by focusing on smaller companies that don’t have the resources or time to focus on minor data breaches. In contrast, large organizations have the need and resources to dedicate to an investigation.
What’s the Goal for Hacking a Small Business?
For cyber hackers, large-scale data breaches are mainly about stealing bits of data and then cross-referencing them into databases and creating hundreds of millions of profiles to access private accounts and steal or extort money. By penetrating SMBs, they have a better chance of quickly accessing unprotected data that will deliver a profit. Additionally, they use small businesses as a gateway to get to larger corporations more effectively. That’s one of the main goals for hackers when they target small businesses.
This is what happened in the Target breach. Cyber criminals used a smaller and more vulnerable business partner to access Target’s network system. By tapping into a small third-party contractor for a large enterprise, cyber criminals were able to steal information on 40 million debit and credit cards.
It is estimated that nearly 60% of the small businesses shut down within six months after being targeted by cybercriminals. According to a 2019 report, the “Global State of Cybersecurity in SMBs,” 69% of SMBs in the US reported losing sensitive data to cyber attacks. The amount of stolen data is expected to increase to 33 billion records in 2023, based on a study conducted in 2018 by Juniper Research. Stolen data can include names, credit card details, addresses, and even social security numbers.
How Do Hackers Get In?
According to the Week, hackers have tried so many cyber attacks on individuals and small businesses that there’s hardly anyone left in the US who hasn’t been a victim of a data breach directly or indirectly. The first step to protecting your data is understanding where your company might have holes for cyber criminals to enter and their techniques to access it.
Phishing includes sending fraudulent messages or emails that appear to be coming from a trustworthy source to get a user’s sensitive information. A study by Cofense reveals that 91% of cyber attacks begin with a phishing email. The reason behind this approach is that criminals think of it as an easy way to penetrate specific cyber-security measures used by individuals and corporations. They can use a variety of “social engineering” approaches to trick the user into clicking on links, opening attachments, or exposing personal information. Phishing attempts continue to evolve and become increasingly difficult to distinguish from genuine communications, making it harder for smaller businesses to protect themselves.
Spoofing distorts an unknown source’s messages to make it look like it is coming from a known and trustworthy source. Email, phone conversations, and websites are the most popular targets for spoofing. Computer faking an IP address, Address Resolution Protocol (ARP), or Domain Name System (DNS) server, for example, are also some examples of a technical assault.
Phishing attacks are frequently carried out via spoofing. For example, in an email spoofing effort, an attacker utilizes a message to deceive the receiver into believing the email originated from a reliable source. Naturally, these emails will contain links to harmful websites or malware-infected files, or they may utilize social engineering to persuade the receiver to hand over critical information.
Hackers use one of these two methods to spoof the sender’s credentials:
- Using substitute letters or simply changing the arrangement of characters to seem just slightly different from the original to duplicate a reputable email address or domain
- Changing the “from” field to a known and trustworthy source’s precise email address
Protecting Small Businesses Against Cyber Attacks
According to Keeper Security’s 2019 Cyber Threat Study, 6 out of 10 small businesses have no digital defense plan to prevent cyber attacks. With time, small businesses grow their online access and presence but forget to implement the necessary steps to secure their business data. Increased online traffic puts small businesses at greater risk of data breaches, malware, and identity theft.
According to SCORE, in 2018, cyber attacks against small businesses resulted in an average loss of $34,604. Additionally, there’s usually a delay between when an attack occurs and businesses knowing that a cyber attack has occurred. The average time it takes to discover a breach is 191 days which means that repeat attacks can occur.
There are some simple steps that SMBs can take that will help improve their security against possible cyber threats. These actions don’t require many resources or a large budget and will provide improvements immediately.
- Assume you will be a target of cyber crime
- Conduct a business risk evaluation
- Change passwords every 3-6 months
- Take an inventory of what’s connected to your network
- Know what your “normal” network looks like so you can spot unusual activity
- Avoid public networks to access company data
- Train your employees to spot security threats
- Create a business continuity plan
- Backup your critical data
- Install necessary software patches
Fortunately, even with minor changes, SMBs can begin to protect themselves from malicious attacks. If they lack the resources and tools needed to implement security measures, businesses can work with a managed services provider who can assist with tasks that require more skills or resources.
As technology changes, the risk of cyber attacks on all businesses continues to impact business operations and how we work. It’s a mistake for small business owners to believe that they are insignificant to cyber crime and that there’s no need to implement immediate security measures.
Lack of resources and proper knowledge on the subject has contributed to significant losses. It’s time that small businesses take charge of their business data, money, and assets and take action to secure their business.