A new Ponemon study found that 50% of Small-Medium Business (SMB) respondents reported that they had data breaches involving customer/employee information within the last 12 months. Worse still, for 75% of SMBs that were breached, the exploits evaded their technical controls.
This is no surprise to us, but SMB operators and their IT teams often grossly underestimate their risks of cyber threats simply because they believe that by being small, they aren’t likely to be targeted by hackers. While it is true that an individual small business is less likely to be the specific target of a ring of cyber attackers, small businesses as a group are being targeted because:
- Small businesses typically have less protection in place to alert them to threats and prevent their networks from being breached;
- Small business are less likely to have sufficient backups and incident response procedures to restore data if hackers encrypt it, so they will pay the ransom to get their data back;
- Many small businesses provide services for bigger businesses and through their lack of cybersecurity controls, a hacker may be able to gain entry to a much larger target. This is what happened to a very well-known cyber breach target – Target! Their Point of Sale system was accessed via the SMB vendor’s system that provided HVAC controls and was on the same network.
Dark Reading collected data from cybersecurity firms like Foresite and found that small businesses often have:
- Open ports
- Outdated applications/operating systems and devices that no longer receive security updates and patches
- Poor internal security controls
- Lack of password policy or lack of enforcement
- Missing technical controls, such as current antivirus, next generation firewalls, endpoint protection, or monitoring
- No plan for Incident Response in the event of a cyber attack
If you haven’t proactively assessed your small business, the odds strongly suggest that you are among the majority with some or all of these risk factors, and you’re being targeted because of it.