It may surprise you to learn that small businesses are just as attractive to cyber-attackers as larger enterprises, if not more so. In the past, the prevailing thinking was small and medium businesses (SMBs) were unlikely targets. After all, why would a cybercriminal focus on a company with less data when they could attack a bigger organization with a much larger trove of data (and, in turn, much larger potential for financial gain)? The answer is simple: SMBs are low-hanging fruit. And even more dangerously, their vulnerabilities can create easy gateways into larger organizations. Because of their limited resources for defense, they ultimately may represent an unguarded tunnel that connects to significant value at larger organizations. It’s no longer a matter of if an organization will be attacked, it’s a matter of when and how.
In recent years, my firm has noticed this significant shift from cybercriminals attacking large companies to targeting smaller businesses. And many can’t weather the business disruption: increasingly, SMBs are forced to close their doors for good after an attack. According to the National Cyber Security Alliance’s 2019 report, of the 1,000+ small business decision-makers surveyed, almost 30% experienced a breach within that past year, and of that group, 10% went out of business afterwards. Further, following a breach, nearly 70% of the respondents were completely knocked offline for a period of time, 37% experienced financial loss, and 25% filed for bankruptcy. The consequences are as much financial as they are reputational.
In terms of preparedness, Accenture’s 2019 Cost of Cybercrime report revealed that only 14% of SMBs were prepared to defend themselves from a cyberattack. Leaders should err on the side of caution, regularly re-evaluate their cyber risks, and prioritize resources for cybersecurity initiatives whenever possible. Outdated budget perceptions are also making allocating more resources to cyber protection a difficult ask. According to Untangle, although SMBs increasingly understand the importance of IT security, 29% of 300 SMBs surveyed had an annual cybersecurity budget of fewer than $1,000. More than half do not employ a dedicated security professional, and instead distribute the responsibility across multiple other roles. Even among midsized companies with dedicated cybersecurity staff, they are constantly tasked to do more, and as a result, are increasingly prone to fatigue and burnout.
Unfortunately, cybercriminals are aware of the struggles facing SMBs and take advantage of these vulnerabilities. There are many reasons why a bad actor might want to target a small business. For instance, supply chain attacks are extremely common these days – many attacks use a technique called “island hopping,” where a bad actor launches an attack against the company’s partner network as a gateway to the primary target – and cybercriminals readily exploit a large company’s weakest link in the chain. Consider Facebook and Target’s recent breaches, which both resulted from third-party vulnerabilities.
Cybercriminals also hone their skills on SMBs before attacking larger enterprises, while making examples of smaller entities. Case in point: Maze ransomware operators, in January 2020, made headlines not just by removing access to key systems, but by releasing stolen data from companies that refused to pay a ransom. These companies were not small by any means, but they certainly were not household names either. You can bet that larger companies with more significant data troves took notice of this incident and will consider paying the ransom as an option the next time they suffer a ransomware attack.
So, as a small business, what can you do right away, cost-effectively, to address this problem? It starts with education. Employee error is one of the biggest causes of security breaches. Implement employee-wide training to ensure individuals in the company remain vigilant and can identify suspicious activity. Require unique, complex passwords for all accounts, and when possible, employ multi-factor authentication.
Other proactive steps include regularly backing up data on company computers and using your peacetime wisely to create a partner-aware incident response plan. This ensures you are on the same page as every part of your supply chain about everything from security protocol to communications procedures following a breach. Update your antivirus software and other security safeguards regularly to improve your organization’s risk posture and do not let employees install any software without the proper approval/permission.
The bottom line is that cybersecurity should be a top priority for any organization, big or small. All businesses must understand the threat landscape and make a concerted effort to mitigate cybercrime. Small businesses hold large value for cybercriminals and it’s a business imperative in today’s landscape to proactively prepare for the inevitable, to keep your company and your entire supply chain safe.
Claire Umeda is the vice president of marketing at 4iQ, a Los Altos-based adversary intelligence company. You can follow Claire on Twitter at @ClaireIfEye.