Why Do Cyber Criminals Attack Small Businesses?

November 3rd, 2016
Vadim Vladimirskiy
Vadim VladimirskiyFounder & CEO, Nerdio

Approximately three-quarters of Americans (73 percent) go online every day, four in ten (42 percent) do several times a day and one-fifth (21 percent) are online “almost constantly,” according to a 2015 survey by the Pew Research Center.

It’s easy to see why: The Internet is a digital candy store filled with delicious sweets for the mind, ranging from obscure facts to travel booking websites like viral videos starring curmudgeonly cats.

Unfortunately, the Internet isn’t restricted to information and entertainment. Along with Wikipedia articles, social media quizzes, cake recipes and celebrity tweets, it’s a hotbed for cybercriminals who can steal your identity, ruin your reputation—and destroy your small business.

The latter scenario is becoming more and more common, according to cyber security company Symantec, whose 2016 Internet Security Threat Report found 43 percent of cyber attacks target small businesses, up from just 18 percent five years ago. A 2016 report by the Ponemon Institute likewise concludes that 55 percent of small businesses have suffered a cyber attack in the past 12 months, and that half have had data breaches involving customer and employee information in the same period.

Such incidents aren’t just inconvenient; they’re also expensive, according to the Ponemon Institute, whose report shows companies spend an average of $879,582 to clean up after a cyber attack and lose another $955,429 due to disruption of normal business operations.

Of all the statistics that exist about small businesses and cyber crime, however, perhaps the most shocking comes from British insurer Towergate, which found that 82 percent of small businesses believe they’re safe from a cyber attack because they “don’t have anything worth stealing.”

If yours is among them, it’s time to face the truth—small business cyber attacks are not only possible, but probable. Here are five reasons why, and what your business can do to protect itself:

  1. Small businesses underestimate their risk.

As Towergate found in its research, small businesses equate size with risk. Because they have more money, customers, intellectual property, trade secrets and data, large enterprises like Target and Home Depot, they assume, are more attractive to cyber criminals than small companies like their own.

That assumption is wrong, however, and actually makes small businesses even more vulnerable, as companies that don’t feel threatened are less likely to spend time and money on cybersecurity measures to protect themselves. In fact, a 2016 report by identity protection firm IDT911 found that 65 percent of small businesses have not budgeted funds for cybersecurity—and have no plans to do so. Cybercriminals realize this, and prey on small businesses because they know most of them aren’t minding their networks.

Solution: The first step toward protecting your business is realizing that your business needs protection in the first place. It’s important to do your homework to understand your risks and vulnerabilities. Asking an IT specialist to conduct a cyber risk assessment can shed light on potential problems and solutions.

  1. Small businesses lack resources.

By definition, small businesses have less money and fewer employees than big ones. That means they have fewer resources to defend themselves against cyber attacks with—and cybercriminals know it. In fact, the Ponemon Institute says the biggest reasons small businesses give for not mitigating cyber risks, vulnerabilities and attacks are inadequate personnel (67 percent), insufficient budget (54 percent) and lack of enabling security technologies (44 percent). For cybercriminals, it’s like robbing a house: Although a big mansion is likely to have more valuables worth stealing, it’s also more likely to have an expensive security system. A burglar looking for an easy target will therefore choose a more modest home, sacrificing the size of his haul in exchange for a lower risk of being apprehended.

burglar in a house inhabited

Solution: Cybersecurity doesn’t have to be expensive. There are many low-cost ways companies can protect themselves. One of the biggest, for instance, is moving IT services to the cloud, as cloud services generally are both more affordable and more secure. Even something as simple—and cheap—as conducting regular backups can be extremely helpful.

  1. Small businesses don’t train their employees.

Small business owners are busy. So busy, unfortunately, that they often don’t have time to closely train, educate or supervise their employees. That leads to employee negligence that can leave businesses vulnerable to cyber attacks. In fact, the Ponemon Institute’s report found that such negligence by employees—who fail to regularly change their passwords, for example, and download unauthorized Internet applications onto their computers and mobile devices—is the No. 1 cause of data breaches in small businesses, according to almost half (48 percent) of survey respondents who’ve experienced such a breach.

Solution: A little training can go a long way. Start by educating your employees about the cyber risks facing your business, and ask them to play a proactive role in protecting you. Suggest they change their passwords regularly, for example, and periodically remind them to. Require them to secure any mobile devices they access work information with using a password. Encourage them to limit personal use of work devices, and vice versa. Finally, screen all apps before allowing employees to download them onto company-owned devices.

  1. Small businesses lack dedicated IT support.

Big companies have big IT departments that function like large armies to help protect the business from cyber threats. Small companies do not. In fact, more than a third (35 percent) of small businesses say there is no single function in their company that determines IT security priorities, according to the Ponemon Institute. As a result, cybercriminals who look at small businesses see the enterprise equivalent of a hole in a fence. It’s no surprise that they decide to crawl through it.

Solution: Companies without dedicated IT staff should consider outsourcing IT functions to a third-party vendor; doing so can give you maximum expertise at a minimal cost, compared to hiring full-time IT employees.

  1. Small businesses have big customers.

In the B2B world, many large companies have small businesses as vendors and partners. Increasingly, those same companies are requiring their vendors to interact with internal IT systems in areas such as procurement, logistics, marketing, human resources and payroll. Such requirements allow cybercriminals to hitch a ride into large corporations’ systems on small businesses’ backs like fleas on dogs, which is one reason more cybercriminals are interested in small-business targets.

Solution: When you protect your own company, you’ll also protect your clients’ companies. A good rule of thumb is to avoid accessing critical systems—yours or your clients’—from unsecured and/or unencrypted devices. Also, you might want to consider purchasing cyber insurance to protect your company in the event of a data breach that compromises its own systems or those of its clients.

Small businesses may be small; but that doesn’t make them insignificant. By putting IT security for small business on your radar and taking commonsense measures to protect your IT systems, you can protect your company from untold harm.

What measures is your business taking to protect itself from small business cyber attacks? Let us know in the comments section below or by starting a conversation with us on social media.