It’s easy to assume that small businesses have less to worry about when it comes to cybersecurity. They can just stay under the radar and avoid being attacked in the first place.
It turns out that small businesses are actually prime targets for cyberattacks, and there are some specific reasons as to why.
They're soft targets
This might have been your first guess, and you’re right. The leading reason that cyber criminals target small businesses is that small businesses are easier to attack. It’s not hard to understand. No small business can afford the same level of cybersecurity as a major player like Amazon. Even non-tech companies like Walmart can afford top levels of security. Money does play a part in this.
More than that, though, a lot of small businesses invest virtually nothing into their cybersecurity. Many business owners feel intimidated by the idea, and it’s reasonable to try to find any place you can to cut costs.
The cyber criminals know all of that too, and they target under-protected small businesses as a result. Even if a successful attack against a Fortune 500 company would be worth more, it’s easier to just hack dozens of small businesses and get dark money that way.
It really is that simple.
They Have Less Training
This idea goes hand-in-hand with being a soft target, but it’s a little more specific. Even when small businesses do have some investments in cyber security, they often pay less attention to training their staff in best practices.
It turns out that the easiest way to hack into a business is to ask an employee for their login credentials. It’s usually referred to as phishing or social engineering, and the concept is simple. You send an employee an email pretending to be on their IT team, or working for the government, or whatever. You tell them you need their username and password to resolve an issue, and they give it to you.
Reading it here, it seems silly, but this kind of thing actually works all the time. It’s actually worse than that. According to CISA and the FBI, 90 percent of cyber attacks start with phishing.
The craziest part is that phishing is usually very easy to stop. Train all of the staff on how to avoid it, and you’ve suddenly become a much harder target.
Unfortunately, a lot of business owners are unaware of these facts and statistics, and that training doesn’t happen. The result? Small businesses get a lot of attacks because the attacks work.
They Often Undervalue Digital Assets
Here’s the thing. No matter how easy it might be to attack a business, no one is going to do it unless they have a reason. For most cyber criminals, the reason is money, and a lot of small businesses severely underestimate the value of their digital assets. This manifests in more than one idea.
First, small business data, in a lot of respects, is more valuable than large business data. Imagine you could hack Amazon or a local bookstore. You might assume that the Amazon data is worth more, but that’s not really the case. Amazon data is actually already accessible in a lot of ways. There are a lot of reasons behind this, but the short version of this story is that user data on Amazon stores is a lot less specific and exclusive than the user data for that local bookstore.
This makes the bookstore a more appealing target, even though they have fewer users. That data can sell more easily and for more money on black markets.
Looking at a completely different angle, a lot of small businesses also fail to realize just how much they depend on their data. This is why ransomware attacks hit small businesses pretty frequently. It’s easy to think that you would be fine in the case of an attack, but most businesses aren’t. You can lose access to vendors and suppliers, you can lose stored financial information, receipts, shipping information, and so much more.
A lot of small business owners only realize how much they need their data after they lose it, and it’s why so many of those businesses don’t have data recovery plans. In the end, they’re more likely to pay a data ransom because of all of this, and that’s the bottom line.
If the small businesses are more likely to pay, of course they’ll be popular targets.
They Have Access to Other Businesses
Unfortunately, the list continues.
Even if your business isn’t a high-value target, your business might be a doorway to a more valuable business.
It’s pretty common for businesses to enlist services from other businesses, and sometimes, those relationships come with direct access.
Remember what you learned about phishing just a minute ago?
Well, someone could use a phishing attack against your business to try to access a partner business. It makes the attack against you that much more valuable.
Even if you don’t have direct access to another business, cyber criminals won’t know that. They can reasonably assume that the majority of small businesses have at least some inter-business relationships, and that assumption is reason enough to attack anyone.
They Have Limited Resources
Technically, every business has limited resources, but Fortune 500 pockets can seem infinitely deep by comparison. That resource gap reflects in more ways than just having a larger security team or more expensive equipment.
The consequences of attacking a large company are often greater than attacking a small business.
Think of it from the cyber criminal’s perspective. Would you be more afraid of attacking Amazon and Google — companies that have world-class cyber teams and world-class lawyers to find you and go after you? Or, would you rather attack the small business that might not be able to afford a legal battle even if they managed to track down the attacker?
Not all cyber criminals are world-class security experts. Some of them are perfectly mediocre at what they do. If you’re the mediocre criminal, and you know it, you’re going to stick with safer targets. Ultimately, that means a larger number of cyber criminals are targeting small businesses.
And now that you’re aware of the problem, are you ready to take steps to correct it? You don’t have to be the expert, and you don’t have to make drastic changes overnight. But, you can take the first step to link up with an expert that can guide you towards moving your organization to a better security stance.