Cyber Security Risks to Small Businesses are Dramatically Increasing.
I spend a lot of time talking to small business owners about lots of topics, including their cyber security risks. If you Google the definition of a small business in America you will see responses that say a small business is 500 or fewer employees and other articles that say 1500 or less.
The Small Business Administration says that Depending on your industry, a small business could be defined as a business with a maximum of 250 employees or a maximum of 1,500 employees. They’re privately owned corporations, partnerships, or sole proprietorships that have less revenue than larger businesses.
These are not the small businesses I am referring to. To me, a small business is 1-50 employees. Here’s why it’s important to distinguish my definition of a small business from that of Google or the Small Business Administration.
A business of 250 employees is a good-sized business and while they should and likely do have a budget, they probably also have an IT staff or outsourced IT to take care of their technology. This would include making recommendations, implementing appropriate changes and proactively maintaining the business’ infrastructure and data.
A business of 1-50 employees may not be as fortunate or may believe they are in good hands when they’re not.
From my conversations with small business owners in the 1-50 employee range, I can also tell you that most of them feel they’re not at risk of being attacked by a phishing scam, ransomware or other cyber security risks. They believe they’re small fish in a big pond, and the bad guys are not interested in their business.
61 percent of breach victims in 2017 were businesses with under 1,000 employees ~ Verizon
This number has and will continue to increase.
A recent independent study completed by Nwaj Tech found that out of 75 small businesses, 44 (59%) were breached within the last 3 years. Of those 44 only 3 of them had more than 50 employees.
What’s even scarier about this study is that none of the businesses were aware that they had been breached.
These businesses are all in Connecticut or New York and the majority of them are in healthcare, financial or legal.
Some of the businesses were under 10 employees. The fact is no business is safe from cyber attacks. Malicious actors do not care about the size of the business.
What Makes Very Small Businesses Attractive to Cyber Criminals?
To make this easier to understand I am going to label businesses with 1-50 employees Very Small Businesses.
Cyber Criminals find these businesses attractive because they’re not as protected as larger businesses. You might think having the free version of AVG and a local back up to an external hard drive has you covered but it does not.
The truth is Very Small Businesses believe they cannot afford full-time tech support. They often lack the proper information when it comes to protecting their business from the threat of cyber attacks. Cyber security risks cannot be ignored by anyone in business.
This makes them more appealing to cybercriminals because they are not protected or educated.
Consider this scenario. In 2017 a CPA was preparing to close out their tax season for their clients. 10 days before the end of the tax season (April 18th) they went to their computer to discover a ransomware message on the screen, and all their files were encrypted.
This CPA thought they were protected because at the advice of their IT at the time they were backing up everything to an external hard drive. That external hard drive was still connected to the computer which means the backed-up files were also encrypted.
The only solution for this CPA was to pay the ransom. They no longer work with that IT service provider.
In our case study of 75 small businesses in CT and NY, 93% of the businesses that were compromised were under 50 employees. Many of them were 10 or fewer.
Reasons Why Very Small Businesses are Targets
What makes Very Small Businesses vulnerable? Here’s a list of things that make VSBs more vulnerable than their larger (100+) counterparts.
- Lack of IT Support
- Lack of Education/Knowledge of Threats
- Inexperienced IT Support
- A Belief That They Cannot Afford IT or Are a Target
- Ineffective Malware Protection or Backup/Business Continuity Solutions
These are some of the primary reasons VSBs are so appealing to cybercriminals. Cyber Security Risks are a very real problem for VSBs.
What’s the Risk?
60% of businesses that experience some type of data loss will end up closing in 6 months. The average Ransomware attack costs a business $46,800.
Both of those statistics are staggering in number. In industries where compliance is a must the financial loss will exceed the average financial loss due to fines and penalties. In CT you must disclose if your business has been compromised. The loss of reputation after disclosure may be insurmountable to a very small business without cyber liability insurance.
In most cases, a VSB believes they cannot afford the right IT to support their technology needs. In reality, they cannot afford not to have a proactive IT solution that secures, educates and maintains their technology.
Let’s look at it from a solopreneur’s perspective. A one-person attorney recently contacted us when their desktop computer was victimized by a power surge during an ice storm. The surge damaged the computer beyond repair including the hard drive. The data on the hard drive was not recoverable by normal methods and the lawyer was not backing up his data including client information.
In Connecticut, lawyers are required to maintain their client data for 7 years once the client case is closed. The lawyer faced significant penalties if he was not able to recover the data.
The hard drive was sent to a data recovery specialist. If a hard drive is physically damaged it must be taken apart in a clean room (dust free) to recover the data. This requires someone with knowledge of how to do it and the right tools. It can be very expensive.
While I don’t know what the cost was, I know it was in excess of $2500.
If that one-person law firm was using proactive IT including off-site backup with rapid disaster recovery (minutes, not hours or days) he would have been spending approximately $185/month at the high end of support. This would have included proactive maintenance, security, patching, and education as well as unlimited remote support and some on-site time.
That equates to an annual cost of $2220, a little less than the data recovery. The rapid disaster recovery is probably not necessary in this scenario but is an option. With normal off-site backup, the monthly cost is about $120, or $1440 per year.
In Closing
Cyber Security Risks Cannot Be Ignored
Last night I had a conversation with another business owner (VSB) who has closed multi-million dollar deals in the past but has a soft spot for very small businesses. We both agreed that we love our small business peers and want to see them succeed. That’s why our motto (one of them) is “Your Business Success is Our Success”. We believe in partnering with businesses to offer them the most comprehensive technology protection available today.
The truth of the matter is EVERY business is at risk if precautions are not taken. The real-world scenarios I mentioned in this article are heartbreaking to me because they did not have to happen. There are things you can do to protect your business. Your business is your passion and the last thing anyone wants to do is give up on their passion because some criminal decided to take advantage of you over the internet. I want my very small business peers to succeed.
Having a Proactive IT solution and a good cyber liability insurance policy is necessary for your business success and should not be taken lightly. Your business depends on them.
Small business are really susceptible to cyber security issues that most of the times, turn everything upside down. I’ve seen businesses that were left at square one. And simply because they security measures were not as tough as large businesses have. And this applies to me too as a blogger, I must toughen my measures.
I always worry about cyber security even at home. We try to stay safe online and use the programs that help with that. I can see why small businesses would be worried.
This is really scary…! Sad that small businesses are the target as it usually means a personal disaster… good read! Need to learn more IT for sure…
I guess the crooks think that small businesses dont have the money to be secure. It is a pity that people do things like this.
This can be worrisome for small businesses. I even worry about this with my blog or other stuff we use at home. It’s great that there are programs out there that help with that.
Ugh this just makes me so sad. I wish people didn’t have to be so awful!
This is amazing and should be shared all over. Cybersecurity is a massive risk to small business and something we suffer from on a daily basis. Thanks a lot for the info.
That would be great!
Cyber crime, fraud or whatever you call it is disgusting. Small or large ones must be careful. It makes me sick whenever there’s a victim.
In this online world, there are lots of potential hackers and scammers so we really have to be careful.
I have a friend that this recently happened to. You can never be to careful of your work!
I really agree to this article. My dad have a small business and we can no longer count how many times cyber crimes almost put the business in jeopardy. This will be good for him.
Security issues can definitely ruin your business. It’s important to invest in cybersecurity
Wow I had no idea this was happening. It’s crazy to me that it even happens in general but I’m glad you are bringing awareness to it.
Cyber crime is so scary, as so little of it is actually policeable. It’s so important to invest in good cybersecurity for the sake of your small business, especially when it’s the main source of income and could have a huge impact on your life!
I think cybersecurity is an important part of everyone online, regardless of your site. Even our simple blogs and websites are subjected to daily malware and hacking. We have the simple SSL nowadays but we still see a lot of blogs unsecured though. You won’t know until your few thousand dollars per month goes up in smoke because you think hackers won’t touch you.
Unfortunately it is true that many small business simply don’t have the budget to protect their internal systems. It is very hard to finance and run a small business as it is, especially when your goal is to grow it.
Running a small internet based business myself, I am always in fear of cyber attacks. It is crazy to me how much destruction hackers can cause. I never really considered the fact that they are a primary target for hackers. Crazy.
Sad but true. It is a shame that there are so many challenges for the small businesses owner.
It seems like there’s a major cyber breach every week, and we don’t hear about those affecting small businesses, so this topic is extremely important and relevant!
Interesting. It seems that the threats never cease out there. As a business owner this matters to me.
We’ve had quite a few close calls with hackers and such. It is scary!
Such a helpful and important post. I’m considering to venture into a small business and having read this article I will be mindful of cyber threats.
I’m always nervous about cyber security while at home. so, I’ll try to stay safe online and use the programs that help with that; however, I can see why small businesses would be worried.
Oh.. That was so true.. If I were to own such small business, I also think I couldn’t manage to have a full time tech support. Businesses that in the process of growing yet won’t prioritize such necessity.
love this topic! every single one of them is such an important information. Thanks so much for sharing
Great article. This is a topic I know I need to learn more about and you really helped me understand some good ways. Thank you.
Google defines small business industries with a very huge number of employees. In my location, having this amount of employees is already a huge company. And having 20 or more is an average. Just saying.. 😅
Such an important topic and a great guide! We really know too little about!
This was an eye-opener indeed. I am going to share this with a my friends who have their own businesses. Thanks for sharing.
Thanks for the information, such a sad fact that these people target such small businesses cuz they known that they can’t afford such security maintenance.
Having a good cyber-liability insurance policy is necessary especially for small businesses! Great point!
Nice article and this must be share to others because for me, whether you are owning a small or big business if your are not carefully and well protected you are always at risk.
Whether it’s fear of the unknown, information gaps, inadequate fiscal or personnel resources, or a too-casual attitude, businesses small and large must acknowledge and understand the risks.
As Art House, the state’s Chief Cybersecurity Risk Officer says: “To think it’s not going to happen to you is dangerous thinking. You have to assume that what’s happening to everyone else, someday will happen to you.”