To small businesses, the threat of cyber-crime may seem like something only governments and big corporations need to be concerned with. To the contrary, small businesses are also vulnerable to these threats. A 2016 study by Symantec concluded that small businesses were the target of 46% of all phishing attacks in the previous year, a stark increase from the 2011 level of only 18%. The New York Times reported earlier this year that a study by Travelers, a cyber-insurance group, showed that small businesses were the target of 60% of all cyber attacks in 2014, not just phishing.
These figures may be surprising to many, but to answer the question you may be asking, “why small business?”, the answer is simply that small businesses are easy targets. According to a 2015 survey conducted by Nationwide insurance and Harris Poll, 79% of small businesses are unprepared to respond to a cyber-attack. That is a significant majority of small businesses who are unprepared to deal with serious loss from malware (viruses, Trojans, worms), phishing, vulnerabilities in unpatched software, or unauthorized access to company and customer data.
The good news is that with so many vulnerable small businesses out there, a company can make themselves a less appealing target simply by joining the 21% of companies who employ cybersecurity and are more prepared to handle incidents. Hackers targeting small businesses can be likened to petty thieves in a parking lot checking for unlocked cars. They solicit as many people and organizations as they can with spam email, social engineering, and phishing until someone takes the bait. Often enough, if your organization is prepared to prevent these probes from being successful, then the attackers will not try any harder to gain access to your system. Unlike large corporations who are frequently targeted by individuals and groups motivated by social or economic ideology, attacks on small business are generally a matter of opportunity.
Cyber-attacks can be detrimental to small businesses. Financially, they can be too much for the budget of a small company to bear. A 2016 study by IBM reveals that the average financial cost of a data breach is $4 million. While that number is obviously skewed with data from massive data breaches involving companies like Sony, Home Depot, and Target, a Ponemon Institute study reported by the Denver Post found that the average cost of an incident is $690,000 for small businesses contributing to a U.S. National Cyber Security Alliance finding that 60% of all small businesses who suffer a cyber-attack are out of business within six months.
The obvious damage that a cyber-attack does to a business is the financial loss related to recovering data and resources as well as restoring operation. Not so obvious, but equally as detrimental is damage to the company’s brand and loss of their customer’s trust. Large companies take great strides to assure the public that the company is trustworthy, usually through fast implementation of new protective technologies, public statements about what is being done to recover data and mitigate losses, and sometimes rebranding. Small businesses cannot often afford to implement new technologies and cannot withstand losses incurred long enough for rebranding and public promises about security to benefit their reputation. Local community trust is critical to small business, so much that even if the business can afford the costs of recovery, loss of business can still mean an inability to continue operating.