Originally published in The Atlantic
Judging by what we see on the news, hackers are all malcontented masterminds who go after only the biggest targets—governments, security agencies, banks, credit-card companies, and other corporate monoliths. If that was ever the case, the script has flipped. These days, hackers are clearly focused on smaller targets.
According to a CNN poll, almost half of all American adults have been hacked, having fallen prey to email-phishing scams, social-media hijackings, ransomware, or malware infestations of personal websites. For individuals, such hacks are embarrassing and sometimes expensive. For small businesses, they can be devastating.
They’re also becoming increasingly common. The latest report from Symantec’s Global Intelligence Network discovered a major surge in hack attacks on small businesses at the end of 2015. Law enforcement sources and other cybersecurity experts confirm that small businesses are now the victims of at least half of all cybersecurity breaches.
And yet, according to a survey by AT&T, only 53% of companies with fewer than 50 employees place a high priority on cybersecurity, compared to two-thirds of larger ones—and only 30 percent of smaller companies have an employee-training program in place to guard against and recover from breaches. “There are two kinds of small businesses,” says Jack Bienko, director for entrepreneurship education at the Small Business Administration, “one that’s been breached and one that doesn’t know it’s been breached.” Since America’s small-business population provides the lion’s share of all new jobs in the country, their cybersecurity is an issue not just for them but also for the national economy.
One reason for neglect is that many businesses don’t even realize they’ve been compromised—because the stolen information is being used for a larger scheme involving multiple targets, or sometimes simply because it’s being saved for a subsequent attack. But virtually every small business, from food trucks to dentist offices to retail startups, depends on an ever-growing number of internet services to do what it does, and as those services multiply, so do the dangers of doing nothing.
A recent survey by SurePayroll, a small business service, found that companies with fewer than ten employees use low-cost online tools for everything from marketing, organization, data and information storage to tracking sales, and engaging with customers. Employees and proprietors are also accessing an increasing amount of their companies’ data from mobile devices.
“Technology has allowed individual entrepreneurs to start their own businesses more quickly and to grow at hyper-speed,” says Bienko, “but we’ve eventually realized that the potential trade-off is managing the risk of using a lot of technology.”
While massive attacks at large corporations have prompted major investments in cybersecurity, small businesses—even some that have had security breaches—have done very little, preferring to fund more obvious priorities, such as marketing, sales, product development. Yet at a time when hackers have turned the focus on small businesses, especially those most reliant on remote access to office networks, failing to invest in cybersecurity defies good business sense.
“For a long time, the idea was that you only have so many resources, and you need to make the decisions that most impact your bottom line,” says Rieva Lesonsky, a small business consultant and the CEO of GrowBiz Media and SmallBizDaily.com. “With our increasing dependence on technology, we have to start rethinking that.”
The fact that technology can include software, services, and apps from a variety of vendors makes getting ahead of cybercriminals especially daunting for small businesses trying to do everything on their own. But the average cost of recovering from a cyberattack is only going up. According to research by the National Small Business Association, a trade-advocacy group, the cost of recovery has jumped from $8,700 to more than $20,000 per attack since 2014. There is also the cost of compliance after a hack—laws and regulations that require companies to contact affected customers and in some cases to provide identity-theft protection. What small businesses fear most, in fact, is the impact on reputation and loss of customers following a breach.
The good news is that there is help, especially for the most common cyberattacks. The many garden-variety phishing scams, password hacks, credit-card frauds, and malware attacks can be defended against with widely available tools and low-level training. “These are the kinds of hacks that happen because people are not aware of simple security measures,” says Lesonsky.
The Small Business Administration offers webinars and other online resources, and a cyber security bill currently moving through Congress would, among other things, free up more money for the SBA to provide in-person training to small businesses around the country. The SBA’s top tips for bolstering cybersecurity range from the obvious—installing antivirus, malware, and anti-spyware software, and setting and frequently updating strong passwords—to requiring multi-factor authentication and encrypting the office Wi-Fi. Securing mobile access to business information is especially critical.
The defense against cybersecurity for small businesses begins with taking responsibility for it. First steps after that are to implement basic company-wide protocols and to set time aside every month to update security patches, refresh employees on standards, and check for system weaknesses. For more advanced measures, there is a growing market for security services and products aimed specifically at small businesses.
For small businesses ready to face the problem, Lesonsky prescribes a dead-simple series of steps: “Sit down and try and think of as many things as can happen, or spend the money to have a one-time consultation to find out where you’re vulnerable. Then take steps to fix those vulnerabilities.”
Above all, she says, “don’t make it easy for cyber criminals.”