Small Businesses Increasingly Vulnerable to Cyberattacks

Most small businesses do not believe they will suffer from a cyberattack. Let’s take a closer look… No one questions that cyberattacks are getting out of hand. In the last year, big businesses and municipal governments have become increasingly targeted. It is all too easy to name names: Colonial Pipeline, Microsoft Exchange Server, Acer, Florida Water Supply, FireEye and JBS are just the most notorious of 2021. But these are large organizations with clear and valuable assets. They have resources to pay, as well as significant incentives to keep breeches private and issue payments. Once we start to consider smaller targets, like mom & pop stores, gas stations, and sole proprietors, it seems the incentives dwindle to so little that it might not be worth a hacker’s time and effort. At least, that is what many small business owners seem to think. Unfortunately, it does not stack up to reality. Let’s see just how far down the primrose path small businesses have traveled.

How Many Small Businesses Believe They Will Be Victims of a Cybercrime? How Many Are Right?

Let’s start with the large-scale attacks over the last year. Many of them have targeted small businesses. Though the media tends to focus on the brand names when they report, many of these attacks infiltrated large IT companies, so that they could ultimately hijack the small business networks served by the bigger fish. Microsoft Exchange Server hack was patched within weeks of the initial exploit, but nefarious organizations had already started to execute the last stage of their plan in full force. Over one thousand small businesses were compromised in that attack. The same goes for Kaseya. This summer, Kaseya was infiltrated, but again, the ultimate targets were the hundreds of smaller IT companies using Kaseya’s products, again, so that hackers could ultimately reach the customers of those customers, at the end of the IT supply chain. Kaseya pulled the plug on its services to address the attack, leaving its clients in the lurch for days. How many of them were concerned that they might be the targets of a cyberattack? CNN conducted a recent poll of small businesses. They found that a shockingly small percentage of respondents take cybercrime seriously.

*Rosenbaum, E. (2021, August 10). Main Street OVERCONFIDENCE: America’s small businesses aren’t worried about hacking. CNBC. Retrieved September 25, 2021, from CNBC article on small business cybersecurity concerns.

You might think that a question like that might not quite reveal the whole truth. Let’s say you have prepared a cybersecurity plan quite carefully. You have backups of your servers and services, and you believe this plan is airtight. There’s no way an attack could catch you off-guard. You might also respond, “I’m not concerned.” That’s why the CNN poll also asked how many of these businesses had a plan in place. Guess what, the lack of concern did not come from defense, only the belief that they would not be attacked.

*Rosenbaum, E. (2021, August 10). Main Street OVERCONFIDENCE: America’s small businesses aren’t worried about hacking. CNBC. Retrieved September 25, 2021, from https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-about-hacking.html.

“The risk has never been higher for SMBs” — Derek Manky, Chief, Security Insights & Global Threat Alliances, Fortinet

Make no mistake, these blockbuster attacks do sometimes target large organizations, but often small businesses and consumers are the ultimate targets. And in the meantime, artificial intelligence and Ransomware as a Service software reduces the cost to hackers and hacker organizations. It is now quite feasible for a solitary individual to pay a moderate monthly fee for some of the most advanced ransomware on the black market. So how many attacks target small businesses?

“42% of cyberattacks target small businesses”

*Steinberg, S. (2020, March 9). Cyberattacks now cost companies $200,000 on average, putting many out of business. CNBC. Retrieved September 25, 2021, from https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html.

Not having a plan in place to respond to a cyberattack is the No. 1 issue that small businesses face. Whether they are attacked head-on, or through a brand-name supplier, the threat to their business continuity and the trust of their customers is the same. Most simply cannot afford a cyberattack, but everyone can take steps to prevent attacks, and to limit the damages of an attack should one get through. With so much at risk, you would think that more SMBs would prepare. It is up to all of us to spread the word so that our communities harden their defenses. We are ultimately in charge of whether cybercrime pays. The more that fall prey, the richer the hacker community becomes. If you have any questions or concerns about your cybersecurity posture, please email david@platteriver.com for more information.