Hackers Pivot to Small and Medium-Sized Businesses for Cyberattacks
By Jana Bounds
Jana Bounds

The push to digital is presenting small and medium-sized businesses (SMBs) with a minefield of considerations. While many may feel they sorted the kinks out a couple of years ago, that couldn’t be further from the truth. SMBs have become primary targets for a host of bad actors for a number of reasons. Experts that are all over the map in other specialties agree on cybersecurity measures: get educated, get protected, and get moving on it immediately.  

Why are SMBs under constant threat?

Cyber threats are a real and present danger for every size of business. However, hackers are using time-tested business principles in their own dark enterprises: they are pivoting to where they can find better success.  

Where large corporations often have teams dedicated to information technology and cyber security, small and medium-sized businesses (SMBs) remain woefully underprepared. Many are even ignoring the threat entirely, with 61% of small business owners polled by CNBC and SurveyMonkey reporting that they remained unconcerned about falling victim to a cyber-attack.  

Black hat hackers (aka malicious actors) know this, which means that 43% of all cyber-attacks are zeroed-in on small businesses.  

“It doesn’t matter how small you are: A hacker will Cryptolocker (a form of ransomware) your small business for a $5,000 payout,” said Horizon Helix CEO Daniel Stanton. “You aren’t too small for a hacker.”  

The FBI and CISA are Warning Small Businesses

The threat is so severe that the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning specifically to small businesses at CNBC’s Small Business Playbook in 2022: Prepare, bolster defenses, because the attackers are ramping up and going for soft targets—smaller organizations that don’t anticipate the peril.  

In 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 billion in losses, the majority of which targeted small businesses,” according to CNBC reporting.  

“Once they’re in through an unsecured network, they can piggyback into your company data to their heart’s content,” according to Inc.  

Meanwhile, Cyberattack Recovery is an Uphill Battle

Cyber-attacks often prove crippling to SMBs. They are at greater risk of collapse due to cyberattacks mainly because the must navigate a “minefield of data security risks while complying with data protection and breach notification laws identical to those of larger businesses,” according to the Brooklyn Journal of Corporate, Financial & Commercial Law. To complicate matters, smaller businesses lack the financial resources of their larger counterparts, and the technological sophistication to mitigate data security risks and endure the legal and financial implications of a breach.  

These implications include dire data, such as an average $4.62M cost of a ransomware breach and $161 average per record stolen, according to a 2021 IBM study.  

The average cost of a data breach specifically in the small business market: from $120,000 to $1.24 million.  

Potential direct costs of a cyber-attack include monetary theft, system repair and remediation, regulatory and compliance fines, legal fees, identity theft repair and credit monitoring, and an increase in insurance premiums. Indirect costs can be far more lasting, including damage to business brand, reputation, and credibility; downtime; loss of customers/business; and loss of intellectual property.  

It’s also important to note that the cyberattack might have little to do with your company and everything to do with firms with which you have dependencies and relationships: you may be the easy access to a wealth of information.  

Why is there SMB Cybersecurity Complacency?

Business leaders have a number of issues competing for attention, and only 9% rank cybersecurity as a top priority. Sixty percent of respondents to Keeper Security’s cyberthreat survey noted that cyber security was in the bottom half of priorities when compared to sales, recruitment, quality control, marketing and contributing to social good.  

This mindset is led by the majority belief (62%) of respondents from companies with revenue between $1M and 500 M who think they are unlikely to experience a cyberattack. Also, the more established a company, the less respondents perceived a threat to cybersecurity.  

Small Businesses Lack the Budget

Further, nearly 50% of businesses with fewer than 50 employees lack a dedicated budget for cybersecurity while only 18% of companies with more than 250 employees have a specific cybersecurity budget, according to Security Magazine. Only 11% of organizations can protect their most critical assets.  

According to Business.com, cybersecurity is becoming increasingly relevant for small businesses and should be viewed as a core business function. In fact, according to the website, cybersecurity should be viewed as an immediate financial priority.  

Cybersecurity is essential for compliance with General Data Protection Regulation by the European Union, PCI Security Standards Council, and the Heath Insurance Portability and Accountability Act not to mention some national and state regulations. Depending on where your company conducts business, this compliance can be imperative to securing contracts and maintaining viability in a competitive market.   

SMBs are Unsure of Where to Start with Cybersecurity: What Should Be Done First?

Even if decision makers in SMBs move past the denial phase of cyber threats, they still must contend with an onslaught of technical data and number of businesses vying for their business. So, to simplify as much as possible, there are five main categories of cybersecurity.  

 

  1. Risk Assessment: This is often done by a third party and is a quick, thorough and definitive answer as to how large of a target you have on you and how weak your defenses are. It is an essential step in threat mitigation. 
  2.  Basic IT Protection: What are best practices? Are employee passwords secure or do they consist of “12345” or “password”? There are painfully easy ways for malicious actors to get into your network.  
  3. Detection: Do you have any kind of system to detect threats? If so, how often are you running scans? The average data breach allows hackers to be in their targeted systems for more than six months before being detected. From financial, health, vendor, critical supply chain information and even intellectual property information that would be valued by competitors, consider how far and how deep an experienced hacker can get with months to explore.    
  4. How You Respond: Who is on your team and ready to act efficiently and effectively? Having an established plan saves valuable time and allows for you to start mitigating the issue as quickly as possible. 
  5. Recovery: This, as discussed earlier, is a daunting task for businesses of every size, but particularly for SMBs. Some experts suggest that cyber security insurance is imperative, since the implications of a breach can be so devastating. Take stock of your risk, current protection and budget to sort if this is necessary. It doesn’t hurt to discuss this with a cyber security expert.  

 There is no room for complacency in this fast-moving digital world where a hacker can be thousands of miles away and living in your digital space for six months, finding all your businesses secrets and financial data, and working their way into the networks of your partners and suppliers. The domino effect of a data breach for any sort of business proves catastrophic. Proactivity is paramount: talk to professionals, establish a budget and protect your company, employees, partners and vendors. It is the right thing to do.  

Read More