ANS Blog

Why Cybercriminals Love Small Businesses

March 22, 2018 in Small Business Security

Why Cybercriminals Love Small Businesses

Small businesses are in the crosshairs of an increasingly complex and sophisticated array of cybersecurity threats.  Although major hacks of large corporations are now regularly headlining the news, small businesses are actually being attacked more regularly–and with increasing frequency. In fact, a recent Verizon study reports about 71% of data breaches occur in businesses with fewer than 100 employees.

The ugly truth is that regardless of how often cybercrime is talked about, small and medium-sized organizations continue to fall short at managing their cyber risk. As a result, they make easy pickings for hackers; that’s why they love to target them. So, if you own a small to medium-sized business or non-profit, here are a few reasons why organizations like yours are frequent targets:

1. Small businesses have lots of information cyber-criminals want

No matter what you may believe, you DO have information on your computers that can be monetized and, therefore, worth stealing.  If your organization uses accounting software, online banking, or processes credit cards then you are a perfect candidate for a network hack. If you have employee payroll data or keep patient-student-client-or vendor records in your systems, you are also a worthy target.

2. Their limited resources are not focused on IT security

Most smaller organizations focus their limited people and money resources on things other than network security. A majority have a low-level of security awareness, and often little to no security policies implemented. Even if a basic firewall and an anti-virus product are in place, these baseline security measures often don’t fully protect against the newer, more sophisticated versions of malware being generated every day. In fact, the newest forms of malware are specifically designed to bypass or evade these basic defenses.

Unlike large organizations, small ones don’t have the budget to hire the right people or deploy the best security technologies to protect themselves. In fact, even though they are aware of the dangers a cyberattack can pose, they usually still don’t allocate any additional budget for security. They prioritize things like maintaining a healthy cashflow and implementing new marketing strategies, but neglect the equally important matter of data security. Cyber criminals know all of this, and relentlessly search for ways to get into under-defended networks.

3. Their under-trained employees make them vulnerable

Smaller organizations often don’t foster a culture of security awareness. Often there are no formal IT security policies enforced, nor is there a training program to educate employees on the topic of information security and how to spot/avoid potential threats.

Hackers love to target unsuspecting employees with email phishing scams and other social engineering techniques in order to trick them into providing confidential information. Due to their continued high success rate, email links and attachments are the #1 delivery vehicle for malware. Since a plethora of current research tells us over 80% of data breaches are caused by some form of human error, it’s easy to see how untrained employees are the weakest link in the cybersecurity chain.

4. They are low-risk targets that offer big returns

In many instances, cyberattacks are designed for a quick, short-term payoff. Sometimes, the attackers goal is to get employees to provide access to their computer in order to launch a ransomware attack. Other times, their goal is to get employees to provide information that can be quickly monetized; like payroll records, credit card information, or access to an online banking site. Still, other times, the payoff is over the longer term including breaches aimed at stealing specific company assets like intellectual property, trade secrets and other proprietary information.

These kinds of breaches can go on inside the unknowing victim’s network for months and sometimes even years before they’re discovered. Overall, the chances of a cybercriminal getting caught are relatively low. Cybercriminals can launch attacks on hundreds of thousands of small businesses from anywhere in the world, making it increasingly difficult to catch them. Only a small percentage of cybercrime waged against small businesses get reported in the police or the media; and even when cybercrimes are reported to authorities, they rarely result in a conviction.

Protecting your data can mean staying in business

As I mentioned earlier, the ever-growing number of announcements of corporate data breaches has become almost everyday news. What’s different about these kinds of attacks, when they happen to small organizations, is their effect. The impact of a data breach on small businesses is usually much more detrimental than for larger companies. Phishing scams can drain your bank accounts and ransomware attacks can grind your business operations to a dead halt. Remediating a breach costs money—to repair your network, recover lost assets, to notify affected parties and restore your good name with customers and vendors.

On average the cost per lost or stolen record is $221. As a result, a National Cyber Security Alliance Study found that 60% of small to mid-size companies go out of business within 6 months of a data breach. This is a pretty depressing statistic that only serves to underscore the fact that no small business can afford to operate in a blissful state of denial. Better protection for your network doesn’t have to be a complicated process or financial burden. Learn more about how our managed security programs can cost-effectively defend your organization against an ever-changing cyberthreat landscape.