Small business owners often believe they're simply too small to be at risk for cyber crime. Nothing could be further from the truth. Here's how at risk small businesses are from cyber threats, and what they can do to start protecting themselves and their business.
This story is the first in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center.
Not long ago, a local education organization in Michigan was experiencing what seemed like a mundane problem: their internet speed was noticeably slower. Their internet provider said all seemed fine on that end. No one on their team of about a dozen IT staff seemed to have any ideas. That's when Grand Rapids cybersecurity experts OST
dropped by for their annual audit.
"We actually found that one of their IT department staff members had started an online gaming server and put it in their data center, and was selling subscriptions to the public," says OST Security Practice Manager Scott Montgomery. "This guy had been making a lot of money using the resources of the organization he was working for."
When the average Michigan small business owner thinks about cybersecurity threats, the big names and the high-profile hacks come to mind. Target. Home Depot. The U.S. Office of Personnel Management. It's easy to think those major hacks are the regular fare of cyber criminals, and small businesses are simply too low-profile to be targeted.
Nothing could be further from the truth.
While big-name companies might have more of the data criminals want, they tend to be well protected. Small businesses, on the other hand, are less likely to have proper safeguards in place.
"That's why they become the target," Montgomery says. What's more, "it's well known that a small organization is much less likely to have the resources to prosecute. Criminals know this."
Why spend a month trying to hack one large company with big legal resources when you could hack dozens of small, unprotected businesses in the same time period? Data support how much more common that scenario truly is. According to a 2015 Verizon survey
, more small businesses experience confirmed data losses than do large ones. And a 2013 National Small Business Association (NSBA) study
found 44 percent of small businesses have been the victim of a cyber attack—even though a full 71 percent said they were only somewhat or not at all concerned about a future attack.
"We tell our clients that every organization, no matter their size, has to be prepared to respond to some type of a cybersecurity threat," says Montgomery. "Statistically, it's going to happen."
Awareness Is Half the Battle
The good news for small businesses in Michigan and beyond is that since a lack of awareness is what puts them a such a high risk for a cyber attack, raising their awareness is a huge step in the right direction.
"Awareness is the big deal," Montgomery says. "Hiring a business to come in and assess their business's security is extremely important. The business owners don't know what threats they're dealing with."
While there's lots to learn about cybersecurity for small businesses, knowing that there's lots you don't know is always a better position to be in than total ignorance. If you own a small business, from a solo operation to a few hundred employees, if you do any business on a computer—and that's everyone, isn't it?—you should be aware of your vulnerability and actively involved in your own cybersecurity.
What You Could Lose
Knowing your small business is at risk of being attacked is one thing. Knowing what that attack could cost you is quite another.
"Don't assume what you have is not important," says Montgomery. "If it's not important, you probably wouldn't have spent the money on it."
Hackers are interested in proprietary information about your business, customer lists, credit card information, health care information and more. Losing any of it can be direct hit to your bottom line. The NSBA study found the average cost of a cyber-attack for small businesses was $8,699.48.
"For a smaller organization, it's much more likely to have a larger impact on their bottom line," Montgomery says. "A larger business can absorb that."
And don't forget the risk to your reputation that could affect future business. Even if nothing is stolen, but a hacker posts unsavory messages on your website or social media accounts, it can damage your brand in ways that are difficult to measure--and potentially even harder to fix.
Where Small Businesses Are Most Vulnerable
Locking out cyber criminals begins with knowing where you're most vulnerable. Virus activity is one of many major ongoing threats to small businesses. Ransomware, for example, can infect a computer in a small business and then restrict access to critical information being stored on the company's network. The hackers then force the business to pay a ransom or lose their valuable data forever.
That terrible situation begins when an employee opens a suspicious email and clicks on a link or downloads an attachment. Employees can accidentally put their employers at risk in numerous ways, usually on accident. In fact, according to a PwC study,
in 35 percent of security incidences at businesses, employees are the source of the event.
"We've uncovered employees who have plugged in their own wireless access point into their desk because they wanted to take their laptop from their desk and sit in a more comfortable location and do work," Montgomery says. "Therefore now, seven days a week, 24 hours a day, there's unsecured wifi giving hackers access to the network."
The only way to prevent employees from unknowingly exposing the business to risk is to properly train them how to be aware of and avoid cyber threats.
Untrained employees are just one weak spot for small businesses. The physical loss or theft of computers, unsecured public wifi and unsecured internet-connected devices like smart thermostats are some of the ways small businesses are often unknowingly vulnerable to cyber attacks.
As frightening as the threat cyber criminals pose to small businesses may be, there is some relief in knowing that knowing
about the risk is the first step toward lowering it. By taking the right steps to protect your small business from cyber attacks, you, your customers and your business's future will all be safer in the long run.
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.
Photography by Adam Bird