Within the realm of cyber security there is a particular nagging worry: the risk of breaches to small businesses. Though they may not protect the same amount of sensitive data as large businesses, small- and medium-sized businesses (SMBs) are still at risk, particularly since they often do not have the same financial resources as bigger companies to protect themselves. Either they can’t afford expensive security software, do not have the deeper pockets for premium IT infrastructure protection, or don’t have the wherewithal to maintain consistent protective measures. For these reasons and more, smaller businesses are popular targets for hackers. The Sonys and the Targets of the world — while having to deal with the massive public ramifications of their cyber breaches — at least have the resources to invest in heavy duty cyber security. SMBs have their own set of specific challenges, and as the holiday season approaches, concern for digital hacks is heightened.
Over the years, various reports have emphasized the need for SMBs to pay particular attention to cyber protection. A 2012 Verizon data breach report said that 77% of global cyber crime targets SMBs. And that was three years ago. The numbers of hacks only grow each year. A Nationwide Property & Casualty survey released this week revealed that almost eight out of 10 small businesses do not have cyber-attack response plans, and 63% of them have been victims of cyber attacks.
In October, Maria C. Horton, president and CEO of EmeSec Incorporated and former chief information officer for the National Naval Medical Center wrote in a blog post that small defense contractors pose serious cyber security risks to the government. Small businesses doing work for the U.S. Defense Department often have limited resources to “invest in technical and practiced security measures.” She cited a U.S. Government Accountability Office report that assessed the cyber security practices of small businesses, concluding that “risks posed by small-business contractors increase chances of breaches for U.S. Defense Department agencies.”
In an interview with Blouin News, David Kidd, vice president of Risk, Governance and Compliance for Peak 10, an IT infrastructure company, said that small businesses are tempting criminal targets because they are often believed to lack resources to “detect, deter, and defend” against cyber attacks. He noted that even if SMBs have security programs in place, there is the expectation that their “security posture is inferior to a larger organization.”
A report from security group Kaspersky Lab shows that on average, recovering from a security breach costs small businesses $38,000. That doesn’t sound like much — especially considering the millions that high-profile big biz spends on recovering — but it can be impactful to a smaller enterprise.
And the reputational risks can also be aggressive for SMBs — in fact, they can potentially be worse compared to larger businesses, especially in terms of ability to bounce back. Examiner.com quotes John Farley, vice president of cyber risk at Hub International: “The biggest threat to any business following a cyber attack is its credibility. For Target or Home Depot who suffered major cyber attacks, the rebound in customer credibility was short, but for the local flower shop or hardware store, getting customers to come back following a hacker stealing their neighbor’s data could be a long journey.”
So what can small businesses do to protect themselves? In terms of the heightened risks around the holidays, Kidd advises SMBs to: “Work with trusted partners for their credit card processing, point-of-sale systems, and e-commerce solutions. Ask questions of your service providers to gain confidence in their security practices.”
He emphasized that any business should have a security program in place, even if it is basic. But that program should “include security agreements with partners (banks, credit card processors, IT service providers), plans to support and cooperate with investigations into a breach, and cyber-liability insurance coverage.”
In the past, the Federal Communications Commission has issued documents with tips for SMBs including training employees in security principles, having the latest security software, providing firewalls for internet connections, creating mobile device action plans, backing up data, and maintaining diligent password practices.
While some of these tasks might be a hard ask for a company depending on its size and resources, it is increasingly vital as cyber attacks elevate in sophistication. SMBs might think they can fly under the radar because of their sizes, but the reality is, in fact, the opposite.