By Laura Haight
Experts in cybercrime and security now believe that small businesses are the preferred target for hackers and cybercriminals.
In 2014, a Price Waterhouse Coopers survey found that known attacks of medium sized small busineses rose 64 percent in one year. In 2013, the annual Verizon Data Breach survey reported 62 percent of companies attacked by hackers were small businesses. Why do small businesses have such a big target on their backs?
They are unaware and/or unprepared. That makes them easy “low hanging fruit” for hackers.
Automated attacks let cybercriminals reach millions of targets easily. “The criminals don’t care who they’re attacking, and while any given business isn’t worth much, they have viruses or ransomware that allow them to attack thousands or millions,” Greg Shannon, chief scientist at the CERT Division of the Software Engineering Institute at Carnegie Mellon, told CSO Magazine.
The interconnected nature of business today makes every small business a lucrative target. Not necessarily for what you have, but for what your partners, clients, collaborators, contractors, and other constituents may have. Just a few years ago, businesses functioned in relatively closed systems. But today, complex networks involve local servers, cloud services, mobile devices and more. Hacking one, leads an attacker to many others.
The risks of being hacked are high and growing daily. But the costs are through the roof. While Target, Home Depot, Sony and Anthem may be able to muscle through the costs of the massive data breaches they’ve endured, 61 percent of small business will not be able to shoulder the costs of detection, cleanup, lost business and reputational damage.
With all this said why aren’t we doing more? I think there are three reasons and responses for this.
We feel overwhelmed and helpless.
If huge global companies, not to mention the state and federal government, with all their resources and capabilities can be hacked then there is clearly nothing a small business can do.
Get your head out of the sand. Good security does not start or end with huge outlays on technology systems. Every hack no matter how large that has ever occurred has been made possible by an authenticated user who clicked on something they shouldn’t have, lost something they shouldn’t have been carrying around, misplaced something they should have been protecting or in some other way opened a door.
We are lulled into a false sense of security
Perhaps you invested in some high end technology that promises to identify and stop the external threats to your business. And you breathe a sigh of relief and check “cyber security” box off your list. Not quite. In 2015, $75B was spent globally on security hardware and software; this year, that is expected to rise by nearly 25 percent to $101B. At the same time, global losses keep growing from $440M last year to an expected $90T (yes, that’s trillion) by 2030. So despite huge outlays on technology, analysts see the problem continuing to balloon. Why? Because hardware and software systems cannot protect us from our own behaviors.
Security is a business problem, not a technology problem, and it requires a business solution. Compartmentalizing it with hardware and software alone is a waste of money. Developing a culture of security that includes strong processes and procedures that are diligently monitored, a training culture (not just a class once a year to check off for your insurance company), and continual reinforcement coupled with smart technology purchases have to be part of your war strategy.
We don't see it every day
News of cyber attacks are often limited to the largest breaches affecting the biggest or most visible companies. Most businesses and nonprofits that deal with a cyber attacks try to keep it from getting out. While there are both ethical and legal requirements to inform customers, clients, patients or partners of any exposure of their data, these often don’t become public knowledge for small companies. The lack of public awareness that these attacks are happening every day, to people just like us, right here in the Upstate, contribute to a false sense of well being. It’s as if every other house on your street was being burglarized and no one told you.
Doug Hewes, former chief security officer for the state Department of Health and Human Services, has said that cyber criminals are winning because they are better organized, better armed, more patient and we are ill equipped to fight them. We spend millions of dollars and countless hours writing, reading and strategizing on how to market our business, but precious little thinking about protecting it. Does your business have a social media posting calendar? Do you have similar processes for checking to ensure technology patches are up to date?
We need to train and enlist our employees as the most important line of defense, share information, learn from each other and build a cybersecurity plan to protect the business we’re trying so hard to build.