Why Hackers Target Small and Midsize Businesses
by Kapua Iao
Recent research shows that hackers target small and midsize businesses (SMBs) as much as (if not more than) large institutions.
The risks involved are staggering, not only the SMB that was hacked, but also to any high-profile establishment it may be linked to.
Unfortunately, many SMBs still spend little time and effort on cybersecurity, making them easy marks for hackers.
Targeting small and midsize businesses
A “small” business typically has up to 100 employees and generally less than $50 million in annual revenue. A “midsize” business has between 100-999 employees and between $50 million to $1 billion in annual revenue.
Research from the Cyber Readiness Institute (CRI) shows that a business’s perception of cybersecurity importance depends on its size. In other words, if a business thinks it’s too small to be attacked, it will limit its IT budget/resources.
SMBs are generally less apprehensive about and less prepared for a cyberattack. An SMB is less likely to use layered security or up-to-date training, even when faced with increased remote working due to coronavirus stay-at-home orders and accompanying weaknesses.
SEE RELATED: Cybersecurity Challenges of Remote Working
A 2019 survey found that 76% of SMBs in the U.S. reported a cyberattack in 2019, compared to 55% in 2018.
According to the CRI, only 45% of SMB owners have increased their IT investment because of the current pandemic. Alarming, considering that Verizon’s 2020 Data Breach Investigations Report demonstrates that phishing is a huge problem for all organizations, no matter their size.
SEE RELATED: Growth of Coronavirus Themed Cyberattacks
SMBs: rich in data and connections, not cybersecurity
The lack of strong cybersecurity is not the only reason hackers target SMBs.
First, SMBs have desirable sensitive data just like larger businesses but, given the above, they are easier access.
This is particularly true for SMB healthcare practices safeguarding protected health information (PHI).
And second, SMBs are sometimes stepping stones to higher-profile targets.
For example, hospitals use business associates (BAs) for smaller tasks such as claims processing or data analysis.
If a BA is breached, the hospital is more than likely to face a breach itself which may result in a HIPAA violation.
Given all this, SMBs look more and more attractive to hackers every day.
Cybersecurity best practices
A recent Wall Street Journal article focused on the fact that attacks against SMBs are preventable.
According to Kiersten Todt, executive director of CRI: “Small businesses can make themselves resilient against common attacks, such as phishing, by focusing on employee education and awareness and creating a culture of cyber readiness within the organization.”
The best cyber resilience strategy (what the CRI call “good cyber hygiene practices”) for any business is layered. It should include:
- Up-to-date and continuous training
- Up-to-date and consistent protection policies
- Prevention and recovery strategies
- Inbound/outbound email protection (e.g., HIPAA compliant email)
- A focus on secure password strategies
- Patched and updated systems
- Strong encryption technology
- And, especially during the pandemic, increased security around remote working and cloud technologies.
Cybersecurity that includes strong, active controls and no extra steps, such as Paubox Email Suite Plus, provides a simple solution for any size business.
By focusing on the protection of its most critical aspect (e.g., PHI in the healthcare industry), an SMB can use Paubox Email Suite Plus to build the necessary layers to defend themselves, now and in the future.