Small companies make good targets for cybercriminals
"Cybersecurity doesn’t apply to me because my business is too small to matter", and "Cybercriminals would never bother hacking us because we don’t have valuable data or many financial assets."
If these comments sound familiar, that’s because it is unfortunately the view held by a large majority of the SMB community. Small to medium sized businesses are slowly jumping on the cybersecurity bandwagon, but must first leave this 'it would never happen to me' mentality behind.
It is understandable why small businesses would struggle to see why they would need to be protected from cyber attacks when our news outlets are littered each day with the latest breaches of multinational organizations. It seems like cyber crime belongs to the world of large enterprises and is not a concern for the average SMB. However, it is this false impression that only exacerbates the problem and helps to make small businesses an even better target for cybercriminals.
Since smaller companies are led by this belief that they will not be attacked, time, money and resources are not invested in IT and cybersecurity. Their defences are very likely vulnerable, offering a soft target to cybercriminals and this is clearly a welcome opportunity, with 61 percent of SMBs reporting being victim to at least one cyber attack in the past year. Even if small companies understand the importance of cybersecurity, budgets are much tighter, and cybersecurity solutions are often seen as huge expenses that an SMB will find hard to justify.
Cybercriminals know that small companies are stretched in terms of time and budgets and will not have implemented the highly sophisticated tools and comprehensive security policies that larger organizations have, so will naturally envisage a greater success rate by focusing their efforts on the low-hanging fruit instead. What’s more, cybersecurity training will be sparse, if not non-existent, in a small business, meaning employees will be more easily tricked by common social engineering techniques used to breach accounts and networks. Human error remains the number one cause of cyber attacks and it only takes one successful phishing email paired with a negligent employee for a hacker to gain access and plant malware or steal valuable data.
Of course, larger enterprises are attractive targets to cybercriminals, dealing with large sums of money and offering a wealth of data, but going straight for the top is not usually most effective. Instead, hackers can explore their target’s supply chain and identify a weak link, normally a small business with exposed vulnerabilities. By exploiting the security gaps of a smaller business, hackers can gain access to systems and data used within, including that of any business they supply services to. This is the root cause of the majority of supply chain attacks. For example, one of the most high profile attacks in 2013 on Target originated with one of Target’s suppliers, a third-party air conditioning firm.
Whether an SMB is specifically targeted, a stepping stone to another company, or unfortunate collateral damage, it is clear that cybersecurity is not to be disregarded. The consequences for a small business caught in a cyber attack can be devastating, with studies finding that 60 percent of small companies go out of business within 6 months of being breached. Monetary losses due to breach and any regulatory fines that may have to be paid can financially cripple a business (83 percent of small businesses are not financially prepared to cope with a cyber attack), not to mention the longer term damage done to a company’s reputation that can harm future business opportunities and current client, supplier and partner relationships.
A larger organization will usually have developed plans and policies for dealing with an incident and taken out substantial liability insurance, but smaller businesses are unlikely to have this luxury. Taking steps to reduce cyber risk as an SMB, however, can go a long way towards reducing damage in case of an attack. Small businesses should look to recommendations and guidelines produced by their country’s authorities such as the NCSC in the UK and CISA in the US. These organizations will also point to minimum security standards for small businesses to align themselves with in order to protect against attack, most notably Cyber Essentials in the UK, NIST in the US, and the internationally recognized ISO certifications.
Small businesses need to put aside the mindset that they are not worth attacking and realize that overlooking these security threats could ultimately prove detrimental to the business. Covering security basics by aligning to minimum security standards is a crucial first step in any small business cybersecurity strategy, with further measures introduced as a company’s specific vulnerabilities and risk areas are identified. Small business owners cannot afford to wait until they are attacked before considering cybersecurity as there is no guarantee that their business will recover. As our working world becomes increasingly digitized and complex, the need for preventative measures to secure an organization is greater than ever, and even more so for our highly vulnerable SMBs.
Clive Madders is CTO and Chief Assessor at Cyber Tec Security, working directly with businesses as they work to achieve Cyber Essentials. With over 25 years’ experience in the cybersecurity industry, he has built up an extensive repertoire, delivering managed ICT support services, cybersecurity certifications and advanced security solutions across the UK.