Large corporations spend hundreds of thousands, often millions, of dollars oncybersecurity, but when it comes to small businesses, many owners aren’t spending enough.
Only 2 percent of the small-business owners surveyed in the CNBC/SurveyMonkey Small Business Survey said they view the threat of a cyberattack as the most critical issue they face. The survey, conducted in April, gathered the findings from more than 2,000 small-business owners across the country in a variety of industries.
That, in some ways, makes sense. Taxes and the cost of employee health care were two of the highest-ranking items and certainly are more front of mind on a day-to-day basis. But online security experts say that very lack of focus makes small businesses a lot more vulnerable.
“Most small-business owners take the attitude of ‘Why would anybody care about me? I’m just the little guy.’
It’s because you’re the little guy that you’re of interest,” says Hemu Nigam, founder of SSP Blue, an internet security consultant business, and the former vice president of internet enforcement at the Motion Picture Association of America. “Hackers love small businesses [because] they don’t have the resources to put in high-end cybersecurity protection and they may not be consciously aware they are a target.”
Yet they are very much a target. Hackers have breached half of the 28 million small businesses in the United States, according to the 2016 State of SMB Cybersecurity Report.
Congress has made some steps to protect them. In March the Senate introduced the Main Street Cybersecurity Act, which would create a voluntary cybersecurity framework for small businesses. (The act has been locked in the Committee on Commerce, Science and Transportation since April, with no apparent movement.)
A hacker’s goal at a small business can vary. Retail-facing companies are often targeted for the personal and credit card information of customers. Many companies in all industries are hit with a malware attack that initially does nothing, but it can transform a company’s systems into “zombie computers,” which can be used unwittingly in a larger attack. Some hackers use security lapses in small businesses as backdoor entries into larger partner companies. And, more recently, hackers will hold data for ransom and force the business owner to pay to retrieve it.
“What they’re doing when they attack is freezing the company’s assets, encrypting them and saying, ‘Give us $300 to $400 to get it back,'” says Nigam. “Most small businesses will pay that because they never backed it up properly.”
“HACKERS LOVE SMALL BUSINESSES [BECAUSE] THEY DON’T HAVE THE RESOURCES TO PUT IN HIGH-END CYBERSECURITY PROTECTION AND THEY MAY NOT BE CONSCIOUSLY AWARE THEY ARE A TARGET.”
-Hemu Nigam, founder of SSP Blue
One way to add a layer of protection is to bypass hiring an outside firm to build your own website and set up an internal email server and instead use a larger service, like WordPress or Gmail. Those organizations have more advanced security systems that weed out many phishing attacks and malware.
Just keep in mind that following that course doesn’t absolve you of responsibility.
“It’s a false sense of security,” says Christopher Roach, national IT practice leader and managing director for CBIZ Risk & Advisory Services. “Yeah, they may be better at managing security, but you have to have the infrastructure set up properly, and there’s a lot of setting on the end user or client side that have to be administered to maintain a level of security. A lot of small businesses don’t get into that level of detail.”
The biggest security risks for small businesses can be born from boredom. Small-business owners who check their personal email or Facebook or favorite websites from their work machine put their company’s data at extra risk. And with storage space costing less, companies that keep their data local (vs. with a cloud-based service) often have a lot more information for hackers to mine.
Finally, while several prominent large corporations have withstood major hacking incidents, the story doesn’t always end as well for small businesses. When customer data or credit card information is stolen, it can break the circle of trust (and there are often other locally owned competitors). Beyond that, the financial costs of recovery are often beyond what a small-business owner can handle.
“I think [smaller companies] are more apt to struggle to remain in business,” says Roach. “If they’re a retailer and they have a breach of their credit card data. the cost of having to respond to a breach of that nature can usually be anywhere from $200 per transaction to $395 per transaction. … CBIZ has cyber liability insurance, but the last time I looked, there weren’t a lot of small-business clients.”