If you work for a small or midsize business (SMB), you may think that your organization isn’t significant enough to attract the attention of hackers and cyber criminals. But you would be wrong. Recent cyber attacks on small businesses statistics should be more than enough to keep you up at night. Consider this:
- Attacks on small businesses are steadily increasing. In 2021 46% of all cyber breaches impacted businesses with less than 1000 employees.
- Whether or not they resulted in an actual breach, 61% of SMBs were the target of a cyberattack in 2021. This means that over half of all SMBs incurred an attack.
- In 2021, 82% of ransomware attacks were directed at companies with less than 1000 employees and 37% of companies targeted by ransomware attacks had less than 100 employees.
Why Are Small Businesses at Risk?
Many small businesses simply think that their information and assets are not worth an attacker’s time and effort—so they don’t pay much attention to deploying comprehensive cybersecurity defenses. But a cyber attack on small business has become an increasingly likely occurrence. That’s because cyber criminals know that SMBs generally have fewer, or in some cases no, security protections in place. While spending on cybersecurity in small businesses tends to increase as the company grows, in 2021 47% of small businesses with less than 50 employees had no cybersecurity budget. And in 2022 51% of small businesses had no cybersecurity measures in place at all.
From a cybercriminal’s point of view, attacking a small business is appealing because they reason that their risk of exposure and arrest are not as great as they are if they target a large company. These attacks are more likely to fly under the radar, attracting less attention from law enforcement and the news media.
Don’t Cybercriminals Have Bigger Fish to Fry?
Businesses, whether small family companies or large multinational corporations, have the same types of valuable information and assets. They have bank account and credit card numbers, security credentials, sensitive and proprietary data, and personal information such as social security numbers, phone numbers and addresses. Although small businesses typically have smaller amounts, this information is of high value to cyber criminals. And, since small businesses tend to have fewer cyber defenses in place, attackers know there is a good prospect of needing to expend less time and effort to secure a breach than would take if they were to attack a large company that will most likely have more comprehensive and more sophisticated defenses. A couple of successful cyber attacks on small businesses can be as lucrative as one attack on a larger company.
Which Small Businesses Are Most at Risk?
Every business, large and small, is at risk of a cyber attack. Even attacks on personal computers and mobile devices are on the increase. Any company that stores business-related or client information is especially at risk. Not only can the business suffer serious consequences in the event of a breach, but clients can suffer consequences as well. Most of us have received notice from a company we have dealings with that they have suffered a breach and our credentials or credit account information is at risk.
Healthcare and financial services companies are at high risk because of the sensitive information they store. Retail businesses, especially e-commerce sites, are attractive targets because they have account and credit card information. Technology startups have intellectual property that can be stolen or held for ransom. And essentially any small business in an early or growth phase is a target because they tend to spend less time and money on deploying cybersecurity defenses.
What Attacks Are Most Common?
A small business’s cyber attack surface typically has much in common with that of larger companies. But there are some types of attacks that have become very popular with attacks on small businesses. Here are some popular examples of cyber attacks on small businesses:
Malware
Malware is any kind of software, script, or code that is installed onto a victim’s computer without the owner’s knowledge or consent in order to cause harm to the computer, server, or network. Types of malware include viruses, Trojans, spyware, ransomware, botnets, and rootkits. Malware is the most common attack vector aimed at small businesses. Once installed, the malware can corrupt, encrypt, or steal information, or perform other malicious activities.
Ransomware
Ransomware is a particular type of malware that allows an attacker to exfiltrate, encrypt, or otherwise make a company’s data unavailable until a ransom is paid. Ransomware attacks are particularly scary because even after the ransom is paid, there is no guarantee that the attacker will release or return the data. Recently, a new form of attack called double extortion ransomware has become popular. The attacker encrypts the company’s data and then, after the demanded ransom has been paid, threatens to publish sensitive data online unless an additional ransom is paid. In 2021, 37% of ransomware attacks were on companies with fewer than 100 employees.
Phishing
As recently as five years ago, if you saw the word “phishing” you may well have thought it was the misspelling of the pleasant pastime of standing beside a quiet stream with rod and reel. Today, most business owners know that it refers to using email or text messages to trick the recipient into either disclosing personal or confidential information, or downloading malware by clicking on a link.
Phishing is a type of cyber attack that falls under the umbrella of social engineering. Social engineering is any technique in which the attacker uses a ruse to try to obtain information from the victim, or have them do something the attacker wants. These kinds of cyber attacks on small businesses are increasing in number and sophistication and are second only to malware in popularity. These attacks serve as a primary entry point for ransomware.
Man-in-the-Middle Attacks
In a Man-in-the Middle (MitM) attack, the attacker intercepts the communication between two endpoints, such as internet communication or messages between a website and a user attempting to log in. The attacker can then impersonate one of the parties to either log in to the site or steal sensitive information. Over a third of exploitation activity involves MitM attacks.
Denial-of-Service Attacks
A denial-of-service (DoS) attack is the disruption of a company’s ability to perform its operations by flooding its servers or network with an overwhelming amount of traffic. If the attack is being carried out from multiple sources, it’s often called a distributed denial of service (DDoS) attack. Attackers initiate a DoS attack to prevent a company from doing business. They may do it for personal enjoyment, revenge, or to harm the company’s reputation. But typically, they do it to extort a payment from the company to stop the attack. As with the other types of attacks noted here, DoS attacks on small businesses are on the rise.
The Cost of a Cyber Attack
A cyber attack on small business can be devastating. Usually there is financial loss, sometimes severe. The business may be able to recover from the loss, or the effects can be so damaging that the business finds it can no longer survive. But money is not the only impact of a breach. There could be additional long-term effects as well. The business could suffer a reputational loss or an erosion of competitive advantage leading to a loss of clients after an attack is made public. A breach can also affect the business’s credit rating or insurance premiums.
Estimating the Average Cost of Cyber Attacks on Small Businesses
The cost of a cyber attack on small business is dependent on the nature of the business, the data and information at risk, and the type of attack. Estimates of monetary cost for 2023 varied from an average of $8000 to an average of $25,000 per attack. The average cost was actually down slightly from 2022 but the number of attacks had increased.
How to Prevent a Cyber Attack on Small Business
Savvy IT people know that there is no such thing as a perfect cybersecurity defense. No matter what defenses you put in place, there will always be a crafty team of cyber criminals that will find a way around it. The company’s best way to defend against an attack is to deploy the best cybersecurity tools, techniques, and resources available, within budget limits. Paying attention to these three general areas will get you started on a comprehensive cybersecurity plan for your business.
Step 1: Train Employees
Comprehensive cybersecurity starts with your employees. They’re both your greatest asset in avoiding attacks, and your prime vector for cybercriminals. Training your employees on what cyber threats are out there and how to avoid them is critical for keeping the bad guys out of your systems.
In 2023, 47% of cyber breaches were caused by human error. Employees may unwittingly click on a phishing email, or inadvertently disclose company information. Or they may be negligent in using mobile or home devices in a secure manner. Employees need to be trained on all company cybersecurity practices and procedures, and know that there are stiff penalties for infractions. Establish rules for the safe handling of customer data and ensure that they understand compliance regulations.
Step 2: Find the Right Cybersecurity Partner
You can’t do it all yourself. Determine all your cybersecurity requirements, then decide which of those requirements can be satisfactorily addressed in-house and which need to be addressed with outside products or services. A cybersecurity partner can provide services such as developing long-term security strategies, training employees, deploying disaster recovery programs, meeting regulatory compliance, and testing the effectiveness of security defenses in place.
Consider third-party partners with expertise in the areas of cybersecurity that are relevant to your business. Choose those that can perform targeted services, such as training, risk management assessment, and penetration testing, that align with your organization. Look for partners with deep experience in the areas you need and who use the latest tools and techniques. Check out their organizational and individual credentials and try to get trustworthy testimonials.
Step 3: Embrace a Culture of Security
Security cannot be an afterthought. The company must be willing to devote the time and resources necessary to deploy comprehensive security tools and procedures. Security needs to be a top priority from the CEO down to the janitor who empties the waste baskets. Executives need to prioritize security and set expectations with their subordinates to do the same. Security plans and policies need to be well thought out and documented, and everyone needs to know that they are responsible for adhering to them. This requires effective and frequent communication from the management team. As a manager, if your employees know that you are serious about security, they will be more apt to follow suit.
A big part of establishing a security-minded culture is to have comprehensive incident response plans. Everyone should be aware of the part they need to play should a cybersecurity event happen. Knowing who is responsible for doing what and when can greatly reduce the harmful effects of the event. Scenario simulations and dry runs can point out gaps in your plans and help reinforce incident mitigation and recovery procedures.
Take Your Security to the Next Level with SentinelOne
Cybercriminals have started attacking small and midsize businesses with increasing frequency. They see these companies as easier targets than large companies because they tend to have less cyber defenses deployed. But SMBs have the same types of assets and information and face the same risks that the large companies do. And the impacts of a breach can be devastating for a small business.
Protect Your Business Today
SMBs around the globe have turned to SentinelOne Singularity™ Control to proactively resolve modern threats at machine speed. Request a free 30-day trial to see how SentinelOne can help you protect your business against every kind of threat, including ransomware and malware.