Cybersecurity is often not on the minds of small business executives. They can hardly be blamed- they have a business to run. They are focusing on scaling the business. It can be tempting to cut security spending out of the budget and instead put that money in areas that will help the business grow. This is especially true when executives don’t believe cyberattacks pose a real risk to their business.

A 2021 survey from CNBC and Momentive shows that 56% of small businesses are not concerned with being a victim of a hack in the next year. Only 13% of them are very concerned. When looking at the frequency of cyberattacks this confidence is misplaced. In many instances, hackers are incentivized to attack small businesses over large businesses. Not investing in cybersecurity is a gamble and as with any casino game the odds are not in your favor. A single cyberattack can be devastating and is more likely than not to occur in the next year. This article will look at 8 reasons why your small business cannot afford to ignore implementing cybersecurity measures.

#1. Cyberattacks are continuing to rise in frequency

As businesses shifted online during the pandemic hackers had a field day. Record numbers of cyberattacks were seen from 2018 to 2020. Cyberattacks increased by 600% during the pandemic. Ransomware attacks rose by 350% in 2018. Even as things have begun to go back to “normal” the increase in cyberattacks shows no sign of stopping. In 2021 cyberattacks of all kinds increased. Between 2020 and 2021 encrypted threats grew by 167%, ransomware by 105%, cryptojacking by 19%, intrusion attempts by 11%, and IoT malware by 6%.

The percentage of small businesses that experience a breach within a given year has also been on the rise. In 2017 54% of small businesses experienced a data breach. That number grew to 58% in 2018. In 2021 61% of all small businesses experienced a data breach. Looking just at data breaches, one of the most costly kinds of cyber attacks, a small business is more likely than not to be a victim in 2022.

#2. The costs of attacks are enough to threaten a small business’ survival

Cyberattacks are expensive. The financial costs that attacks cause companies come from a multitude of factors. Attacks such as ransomware can cause direct financial impacts where the hackers are paid a ransom to return access to files they encrypted. Costs from other attacks come from downtime, loss of data, legal expenses, customer compensation, and damage to a company’s reputation. All of these costs are frequently too much for small businesses to handle. 60% of small businesses that are victims of a cyberattack go out of business within 6 months

So exactly how expensive are these attacks? It will depend on the type of attack, the size of the company, whether the company has an incident response plan in place, and whether or not personally identifiable information (PII) of customers was breached. To get an idea though we can look to averages. The average cost of a data breach for small businesses is $108,000. Can your business survive such a blow? In another PeerWise article, we look at the costs of cyberattacks compared with spending on cyber budgets and find that there is often a disconnect between the two. Companies are spending much less on cybersecurity than the cost of a single data breach. 

#3. Small businesses are easy targets for hackers

Considering many small businesses are not concerned with being a victim of a hack it is not a surprise that many small businesses do not have strong security measures in place. Only 14% of small businesses consider their cyberattack and risk mitigation strategy to be adequate. In addition, only 28% of small businesses were found to have an incident response plan. It is true that hackers may be able to make more money targeting large businesses. But due to the ease of attacking small businesses, they can make more money targeting multiple small businesses. Hackers need to spend less time and resources breaching small business’ networks.

Less equipped hackers may not be able to penetrate networks of large businesses.  On the other hand, even with minimal resources a hacker can pull off successful attacks against small businesses. Launching an impactful attack against a company that has minimal security measures in place does not require the hacker to have advanced technical knowledge or sophisticated tools.

For hire DDoS services can be purchased for as little as $13/month. There has been an increase in Ransom DDoS attacks which have an added extortion element. These attacks can be extremely damaging to a company, but also provide an example of where implementing basic security measures can protect your small business. A DDoS cloud service provider can easily mitigate DDoS attacks most small businesses would see. 

#4. Hackers are after customer information and employee credentials

Another reason why hackers may target small businesses – the data they contain is extremely valuable. Sure, a large business likely has more of it, but that does not mean hackers will overlook small businesses entirely. PII of customers and employee credentials can both be stolen and then sold on the dark web. 

A company that handles PII and does not implement security measures is being negligent to their customer base (as well as to their stockholders and employees). Stolen PII such as credit card numbers, addresses, and social security numbers can create lasting negative impacts for customers. It can also sink a business. Besides suffering reputational damage, a company that loses PII due to a breach could be required to offer free credit monitoring services for one to two years. These services can be $10-$30 per month per customer that had their data stolen. If 1,000 customers had their data breached that would equate to at least $120,000 in credit monitoring services for the small business.

The frequency of credential theft has increased dramatically over the past few years. The average incidence of credential theft per organization has increased from 1 per year in 2016 to 5.7 per year in 2022.

Sourced from Ponemon Institute Cost of Insider Threats Global Report 2022

The Ponemon institute found the average cost of these incidents to be $4.6 million dollars per year. This data was collected spanning organizations of all headcounts (from <500 employees to >75,000 employees).

#5. Small businesses can act as stepping stones to infiltrate larger companies

If a large business is contracting with your small business hackers can breach your networks in order to steal credentials of the larger business. This will be more common in some industries than others. Construction companies and companies in the supply chain are often targets of attacks for this purpose.

The most famous example and often cited case study is the HVAC company that let hackers gain access to Target’s networks. In 2013 hackers were able to breach the HVAC company called Fazio Mechanical Services. This company had access to sensitive credentials from Target. When the HVAC company was breached, hackers were able to steal these credentials, which in turn allowed them to breach Target’s networks. It led to Target paying the biggest ever data breach settlement. If you are contracted by large businesses take heed- you will be a bigger target.

#6. Remote work increases the attack surface of companies

Statistics show that 16% of businesses are 100% remote and 62% of employees aged 22 to 65 say they work remotely at least occasionally. Small businesses are found to be 2 times more likely to hire remote employees.

In our article on remote workers, we discuss security risks remote working brings. Major risks include unsafe use of devices as well as an increased risk of phishing attacks. Phishing attacks have ballooned in number since the pandemic caused a shift to remote work. 91% of all cyberattacks now begin with a spear phishing email. Data breaches are also found to take longer to identify and contain when more of the workforce works from home.

Sourced from IBM

Remote work does not have to mean that your business is more likely to suffer a cyberattack, but security measures need to be taken in order to mitigate that risk. Employee education is one step you can take. Another security measure you can implement is utilizing multi factor authentication.

#7. Small businesses are most at risk of getting targeted by ransomware

Ransomware attacks became one of the most popular cyberattacks over the last couple of years. Between 2019 and 2020, ransomware attacks grew by 62% globally and 158% in North America. Ransomware and ransom DDoS payments in 2021 exceeded the total amount paid in the last decade. The rapid growth in ransomware attacks continued in 2021 with a further 134% increase year over year.

It is a costly assumption that hackers choose to target large businesses who in theory have more money to pay larger ransoms. 82% of ransomware attacks targeted businesses with less than 1,000 employees. Why? Small businesses face greater pressure to pay the ransom than these larger corporations.

It is generally advised not to pay a ransom if your company is hit by a ransomware attack. Many companies do not follow this suggestion. A 2021 survery by Kaspersky showed that a little over half (56%) of companies ended up paying the ransom. Paying ransoms is not recommended for two reasons. First, just because you pay does not mean that the hackers are going to keep their word and decrypt your files. The State of Ransomware 2021 report by Sophos showed that only 8% of companies who paid a ransom got their data back. Another issue is that if a company does pay it can signal to hackers that they are a good target to attack.

To get back to our point- small businesses often cannot afford the risk of not paying the ransom. The reason for this is that they are not taking proper security precautions. If a company has not performed data backups recently when a ransomware attack hits they may have no option but pay that ransom. If they don’t, they could lose enough critical data that their company cannot recover.

#8. The Russia – Ukraine war is proving cyber warfare may be an increased and lingering threat

Due to Russian aggression in Ukraine, the CISA issued a high alert warning. The “Shields Up” initiative suggests that organizations of all sizes ramp up their security measures to meet the possibility of increased threats. Russian cyber aggression is not new. Our article on Russia’s use of cyber attacks during times of war outlines a timeline of such attacks beginning in 2007. While cyber warfare is not a new concept it is starting to play a more central role in times of war.

Ukraine and Russia have been exchanging cyber blows leading up to Russia’s invasion of Ukraine. These attacks have only ramped up now that these countries are actively at war. A recent report by PeerWise found that only 12.5% of companies are not focusing in some way on improving their security posture in response to an increased threat of cyberattacks from Russia. Small businesses may think they are exempt from cyber warfare. Why would a country focus attacks on your small business? Wouldn’t they instead focus on organizations critical to a nation’s infrastructure such as hospitals or banks?
While it is true that hospitals and banks are a target in cyber warfare, small businesses are not ignored by hackers. Many of the leading ransomware hacker groups today originate out of Russia. These include groups like REvil and Fancy Bear. These groups have long been suspected of being state-sponsored. In a time of war, one goal of these hacker groups is to attack critical national infrastructure. But another goal is to raise capital for the war effort.

We have already discussed how hitting small businesses with ransomware can be profitable to hackers. In times of war this will be all the more important to these groups. Another reason why small businesses cannot assume they won’t be a target is that some hackers target companies indiscriminately. They have automated systems to scour the internet for any access points they can breach using brute force tactics. If your organization happens to have a vulnerable access point, it may become the focus of these hacker groups.

Conclusion

Headline-making cyberattacks focus on large businesses leading many to believe only enterprises need to worry about cybersecurity. The facts show that small businesses are not exempt from cyber risks. PeerWise has put together a series of fundamental cybersecurity measures that small businesses can take to improve their cybersecurity posture.

These articles show ways in which small businesses can implement security measures without sacrificing valuable company resources. They demonstrate how companies can economically handle risk management, perform risk assessments, form incident response plans, and more. Future articles will also look at when small businesses should consider purchasing cyber insurance, as well as what tools are most crucial for cybersecurity in a small business.

To learn more about where spending is going look at our Q1 2022 budgeting report. This report shows what areas of security businesses are focusing on in Q1. It shows how companies are budgeting for things we discuss in our series on cyber security fundamentals such as outsourcing and risk management.