In 2020 it is estimated the percentage of cyber attacks against small businesses will be close to 70%. It’s also estimated that in 2020 the cost of cyber attacks is going to be around $5 trillion. That’s trillion with a T. And if 70% of the attacks are against small businesses, then obviously the small businesses are going to be paying for a lot of that $5 trillion. Cyber attacks affect small businesses in a few ways. This post discusses how cyber attacks affect small businesses and what can be done about it.
The Effect of Ransomware and Stolen Data on Small Business
One way cyberattacks affect a small business is if a small business is attacked with something such as ransomware. The ransomware can render systems useless for maybe one week or two weeks. So the small business can’t provide the service they need to provide to generate revenue or they can’t produce the product they need to produce to generate revenue. So basically they’re dead in the water for one or two weeks and they can’t produce anything to generate revenue. That alone can take a small business out of business.
The other primary method or primary way that small businesses have to pay for a cyber attack is if a small business’s client data is stolen. Typically, for every record that’s stolen the small business has to pay for credit monitoring for all those records. There’s a clinic in Missouri that was put out of business. They had 20,000 patient records stolen by an attacker. They had to pay for credit monitoring for all 20,000 of those patients. The credit monitoring, I’m not exactly sure the price, but I think it was around $20 per person. So if you had 20,000 records stolen and you have to pay $20 per record, that’s $400,000 that that small business had to pay per year in credit monitoring fees. Most small businesses do not have a cash reserve of $400,000 so that took that clinic out of business.
Why Do Cybercriminals Attack Small Businesses?
You may ask yourself, “Why do attackers go after small businesses? Why is the percentage so high towards small businesses?” There are two main reasons. The first reason is most small businesses do not have a very mature cybersecurity program. They don’t have a dedicated staff to solely work on cybersecurity, it’s typically somebody’s additional duty. The attackers know this and they know that they can more easily get into a small business than a larger business because most large organizations have a dedicated cybersecurity staff and a mature cybersecurity program.
The second reason is attackers will attack a small business and use that business as a foothold to attack a larger business. Small businesses typically have relationships with larger businesses. If the large business is fairly secure but the small business is not, the attacker’s going to go after the small business and then leverage that relationship from the small business to attack the larger business.
An example of this is Target. Target’s a large store. Obviously, they’re all over the place, but Target wasn’t attacked directly because they have a fairly mature cybersecurity program. The HVAC vendor or heating, ventilation and air conditioning vendor was attacked. The HVAC vendor for Target was a small business. So the attackers attacked the HVAC vendor and then from there, they leveraged the HVAC vendor’s relationship with Target. The attackers rode the trusted connection from the HVAC vendor to attack Target and compromise Target’s point of sale machines which stole everyone’s credit card numbers.
As a recap, the two reasons small businesses are attacked:
- They are typically not very mature in the cybersecurity maturity process
- They are often leveraged to attack the larger business
What Can You Do?
My company, Alpine Security believes small businesses are vital to the economy. We’re a small business and we want to support other small businesses. So we’ve come up with our fractional virtual CISO service – that offers an affordable means for small businesses to develop cybersecurity capabilities in alignment with risk tolerance, industry, and business objectives. To learn more about our CISO service, you can call us at (844) 925-7463, email us at firstname.lastname@example.org, or visit: https://alpinesecurity.com/services/ciso-as-a-service/
It is in our interest to help small business owners protect your environment from being attacked.