I spend a lot of time talking to small business owners. If you Google the definition of a small business in America you will see responses that say a small business is 500 or fewer employees and other articles that say 1500 or less.
The Small Business Administration says that Depending on your industry, a small business could be defined as a business with a maximum of 250 employees or a maximum of 1,500 employees. They’re privately owned corporations, partnerships, or sole proprietorships that have less revenue than larger businesses.
These are not the small businesses I am referring to. To me, a small business is 1-50 employees. Here’s why it’s important to distinguish my definition of a small business from that of Google or the Small Business Administration.
A business of 250 employees is a good-sized business and while they should and likely do have a budget, they probably also have an IT staff or outsourced IT to take care of their technology. This would include making recommendations, implementing appropriate changes and proactively maintaining the business’ infrastructure and data.
A business of 1-50 employees may not be as fortunate or may believe they are in good hands when they’re not.
From my conversations with small business owners in the 1-50 employee range, I can also tell you that most of them feel they’re not at risk of being attacked by a phishing scam, ransomware or other cybersecurity risks. They believe they’re small fish in a big pond, and the bad guys are not interested in their business.
61 percent of breach victims in 2017 were businesses with under 1,000 employees ~ Verizon
This number has and will continue to increase.
A recent independent study completed by Nwaj Tech found that out of 75 small businesses, 44 (59%) were breached within the last 3 years. Of those 44 only 3 of them had more than 50 employees.
What’s even scarier about this study is that none of the businesses were aware that they had been breached.
These businesses are all in Connecticut or New York and the majority of them are in healthcare, financial or legal.
Some of the businesses were under 10 employees. The fact is no business is safe from cyber-attacks. Malicious actors do not care about the size of the business.
What Makes Very Small Businesses Attractive to Cyber-Criminals?
To make this easier to understand I am going to label businesses with 1-50 employees Very Small Businesses.
Cyber-Criminals find these businesses attractive because they’re not as protected as larger businesses. You might think having the free version of AVG and a local back up to an external hard drive has you covered but it does not.
The truth is Very Small Businesses believe they cannot afford full-time tech support. They often lack the proper information when it comes to protecting their business from the threat of cyber-attacks.
This makes them more appealing to cyber-criminals because they are not protected or educated.
Consider this scenario. In 2017 a CPA was preparing to close out their tax season for their clients. 10 days before the end of the tax season (April 18th) they went to their computer to discover a ransomware message on the screen, and all their files were encrypted.
This CPA thought they were protected because at the advice of their IT at the time they were backing up everything to an external hard drive. That external hard drive was still connected to the computer which means the backed-up files were also encrypted.
The only solution for this CPA was to pay the ransom. They no longer work with that IT service provider.
Earlier this year a healthcare practice in Minnesota closed its doors forever because of a ransomware attack. This was a small, 2 doctor practice that felt there was no way to continue after the attack and impending HIPAA fines. This also meant they did not have an active HIPAA program in the office.
In our case study of 75 small businesses in CT and NY, 93% of the businesses that were compromised were under 50 employees. Many of them were 10 or fewer.
Reasons Why Very Small Businesses are Targets
What makes Very Small Businesses vulnerable? Here’s a list of things that make VSBs more vulnerable than their larger (100+) counterparts.
- Lack of IT Support
- Lack of Education/Knowledge of Threats
- Inexperienced IT Support
- A Belief That They Cannot Afford IT or Are a Target
- Ineffective Malware Protection or Backup/Business Continuity Solutions
These are some of the primary reasons VSBs are so appealing to cyber-criminals.
What’s the Risk?
60% of businesses that experience some type of data loss will end up closing in 6 months. The average Ransomware attack costs a business $46,800.
Both of those statistics are staggering in number. In industries where compliance is a must the financial loss will exceed the average financial loss due to fines and penalties. In CT you must disclose if your business has been compromised. The loss of reputation after disclosure may be insurmountable to a very small business without cyber-liability insurance.
In most cases, a VSB believes they cannot afford the right IT to support their technology needs. In reality, they cannot afford not to have a proactive IT solution that secures, educates and maintains their technology.
Let’s look at it from a solopreneur’s perspective. A one-person attorney recently contacted us when their desktop computer was victimized by a power surge during an ice storm. The surge damaged the computer beyond repair including the hard drive. The data on the hard drive was not recoverable by normal methods and the lawyer was not backing up his data including client information.
In Connecticut, lawyers are required to maintain their client data for 7 years once the client case is closed. The lawyer faced significant penalties if he was not able to recover the data.
The hard drive was sent to a data recovery specialist. If a hard drive is physically damaged it must be taken apart in a clean room (dust free) to recover the data. This requires someone with knowledge of how to do it and the right tools. It can be very expensive.
While I don’t know what the cost was, I know it was in excess of $2500.
If that one-person law firm was using proactive IT including off-site backup with rapid disaster recovery (minutes, not hours or days) he would have been spending approximately $185/month at the high end of support. This would have included proactive maintenance, security, patching, and education as well as unlimited remote support and some on-site time.
That equates to an annual cost of $2220, a little less than the data recovery. The rapid disaster recovery is probably not necessary in this scenario but is an option. With normal off-site backup, the monthly cost is about $120, or $1440 per year.
Last night I had a conversation with another business owner (VSB) who has closed multi-million dollar deals in the past but has a soft spot for very small businesses. We both agreed that we love our small business peers and want to see them succeed. That’s why our motto (one of them) is “Your Business Success is Our Success”. We believe in partnering with businesses to offer them the most comprehensive technology protection available today.
The truth of the matter is EVERY business is at risk if precautions are not taken. The real-world scenarios I mentioned in this article are heartbreaking to me because they did not have to happen. There are things you can do to protect your business. Your business is your passion and the last thing anyone wants to do is give up on their passion because some criminal decided to take advantage of you over the internet. I want my very small business peers to succeed.
Having a Proactive IT solution and a good cyber-liability insurance policy is necessary for your business success and should not be taken lightly. Your business depends on them.