The State of Small Business Cybersecurity in 2020
Historically, small businesses thought about security in terms of physical property. To protect the items inside the store or office, business owners purchased locks, installed alarm systems, and sometimes hired security guards. Today, however, property crimes are continuing their 25-year decline, meaning the chances of a break-in at your business are about half what they were in 1993. Cybercrimes, however, are the new playground for criminals. And yes, they affect small businesses as much or more than they do large companies.
In fact, small business cybersecurity needs serious attention in 2020 because small businesses run a growing likelihood of attack from increasingly sophisticated cybercriminals, and most business owners are taking woefully inadequate precautions to protect their enterprises. According to the 2018 Cyber Readiness Report by Hiscox, 73% of organizations fall into the “novice” category of cyber-preparedness and only 11% earn the title “experts.” Hiscox’s researchers found that the problem wasn’t a lack of awareness. In fact, two-thirds of the businesses Hiscox surveyed said that — along with fraud — cyber was their top risk concern. The problems were rooted in financial concerns and uncertainty about what steps to take.
Why aren’t small businesses ready for an attack?
Large corporations have deep pockets and can make substantial investments in their information security departments. In fact, in Hiscox’s survey, 21% of companies with 250-plus employees ranked as cybersecurity “experts” while just 7% of firms with fewer than 250 employees held the same title. Possibly, that’s because small businesses put an average of 9.8% of their IT budgets toward cybersecurity while larger companies invested about 12.2% in keeping their data secure. About half invested nothing at all.
Large companies also work with much bigger budgets to begin with. Hiscox found that “experts” enjoyed average IT budgets of $19.8 million and their smaller counterparts were working with around half that amount, around $9.9 million. That means larger companies are getting the best expertise, plans, and technologies that money can buy. Small businesses, on the other hand, don’t have that same access to protection.
Cybercriminals already know exactly what we just told you. They know that while major financial institutions, hospitals, and biotechnical companies hold rich treasure troves of data, those enterprises are also guarded by gold-standard technology that was developed and executed by the finest minds in the industry. That’s why, despite their relative lack of valuable information, small businesses make more appealing targets to most hackers than big companies do. In fact, the Verizon Data Breach Investigations Report states that 43% of cyberattacks in the last year involved small business victims.
Attackers know that small businesses often lack the expertise to locate the top talent for IT security, and even if those small companies could find an excellent security team, they often lack the resources to compensate their personnel at a competitive level. Criminals also realize that in small businesses, users often aren’t properly trained in cybersecurity procedures. Hence, the hackers can quickly identify the weakest link in the security chain — the human beings working in the office or store — and exploit it.
Why do small businesses get attacked by cybercriminals?
Black hat hackers — the guys you have to watch out for in the cybercrime world — run their operations like businesses. They shoot at the targets they believe offer the highest payoff with the least risk of getting caught. Generally, small businesses offer the easiest prey for two reasons:
Small businesses are often targeted by attackers so that the criminals can leverage the small business’ relationship with a larger organization. When hackers decided to go after the rich data mine at Target, they didn’t attack the retail giant head-on. They knew that a massive company such as Target would have sewn up every potential entry point. Hackers instead compromised Target’s HVAC vendor, Fazio Mechanical Services. Using the vendor’s credentials, hackers gained access to Target-hosted web services for vendors. From there, it was just a matter of searching for a vulnerability to exploit. And ultimately, the attack cost Target $202 million. Andrey Hodirevski was tied to the attack for selling the stolen credit card numbers.
Small businesses typically have less mature cybersecurity programs. Often, executives or owners fail to invest in cybersecurity because they think they have nothing worth protecting and therefore they won’t be a target. In fact, they may be sitting on credit card numbers, social security numbers, healthcare data, or other valuable information and not even realize it. Most hackers want customer data, credit card information, or intellectual property, which many small businesses possess. Moreover, any company is vulnerable to even ham-fisted hack jobs such as a ransomware attack or a payment card web application compromise. These attacks are easy to pull off, pay reasonably well, and are unlikely to result in detection and prosecution.
Small businesses are often easy and lucrative targets for cybercriminals. With untrained staff, under-resourced IT departments, and more valuable data than they may realize, small businesses can offer low-risk, high-reward targets for hackers.
How many small businesses get attacked by cybercriminals?
At least 43% of cyber attacks focus on small businesses. Verizon’s report puts that number closer to 60%. This results in millions of attacks each year. The exact numbers are unclear and unreliable because many businesses do not report attacks. Based on our incident response and penetration testing results, we believe 70% of small businesses get hacked at least once. Some get hit over and over.
In general, these attacks come from outside hackers, some supported by international bad actors and others operating in small groups or on their own. But other attacks come from within — disgruntled employees, negligent staff, or people angry about being let go can disrupt operations in retaliation for what they perceive as bad behavior on the part of the business.
Malicious attacks aren’t all that threaten small business data security. IBM’s 2019 Cost of a Data Breach Report says nearly one-fourth of data breaches are caused by simple human error. While this might seem less threatening than an attack by a threatening criminal, the consequences of any data breach are the same regardless of the reason for the crack in the wall.
How does a cyberattack impact a small business?
According to IBM’s report, businesses of all sizes may lose $320,000 in the average breach. Other reports say hacked small businesses will lose about $200,000, an amount that could put many of them out of business. Companies of any size working in regulatory industries stand to lose much more.
The cost of an attack can’t only be measured in dollars and sense. In fact, IBM says the average breach lifecycle runs 279 days, which ramps up to 314 days for breaches caused by malicious attacks. Half of this time may elapse between the initial breach and its discovery. The longer the life cycle, the more costly the breach. Data breach fees and other costs can run hacked organizations thousands or even millions of dollars.
Cyber crimes against small business can cause businesses to go out of business and people to lose their jobs.
It happened to Efficient Services Escrow Group, a small business in Southern California that discovered too late that hackers had infiltrated its system using a standard Trojan Horse. The hackers sent three fraudulent wire transfers, one for $432,215 to an account in Russia and two totaling $1.1 million to accounts in the Heilongjiang province in China. One month later, the State of California shuttered Efficient Services Escrow Group for failing to protect its escrow accounts. All the employees lost their jobs.
In 2019, Agence France-Presse reported that hackers in China tried to infiltrate Airbus, a European aerospace and defense company considered a vital operator for national security. The hackers targeted four Airbus suppliers, including Rolls-Royce Holdings Plc and France’s Expleo. Some observers of the incident said that Airbus may have failed to ensure its suppliers were properly protected, thus leaving an opening for hackers. Certainly, this attempt wasn’t the first effort criminals have made to get inside Airbus by hacking a vendor in order to open up the supply chain.
What can be done to prevent small business hacking and other cybercrimes
At Alpine Security, we offer a data breach prevention audit to help determine the likelihood you will have a data breach. This audit quantifiably measures your business’ risk of a successful cyberattack. At the audit’s conclusion, we give you a high-level roadmap of prioritized actions to reduce the chances of you being successfully attacked. A data breach prevention audit is a critical tool in helping small businesses avoid costly and destructive data breaches. Contact us to learn more about what a data breach prevention audit could do to protect your company.