According to Verizon’s 2022 Data Breach Investigation Report, 61% of small and medium-sized businesses (SMBs) encountered a cyberattack in the previous year. Meanwhile, IBM’s Cost of Data Breach Report found that each attack costs SMBs an average of $3 million.
Cybercrime has become so prevalent that you can’t afford to not take action—especially if you own a small business.
The reality is smaller companies are particularly vulnerable to security breaches. Hackers know many owners believe they don’t have the time or money to invest in software programs or services that secure their operations. This makes small businesses easier to exploit.
Why Small Businesses Should Take Cybersecurity Seriously
The most straightforward reason is to cut down on expenses.
While there are varying statistics on how much cyberattacks cost small businesses, all show that they can really hurt your cash flow. IBM’s report places the damage at $3 million, while the National Small Business Association (NSBA) puts estimates closer to $8,700.
Actual costs will depend on the type of attack and the damages incurred, but whether the bill is four figures or seven figures, the bottom line isn’t cheap. Especially when it’s cash that could’ve been spent on recurring expenses or new business opportunities.
What Getting Hacked Can Cost Your Business
Another reason to take cybersecurity seriously is that these attacks can cause significant liability issues. If your business keeps customer data on file, hacks can cause your clients to lose trust in your organization. You could also lose proprietary information that gives you a competitive edge in the market. And it goes without saying that getting your login information to your bank or other financial accounts can lead to financial ruin.
So while larger companies like Home Depot, Target, and Staples may grab the headlines when they get attacked, it’s smaller businesses that need to be the most vigilant.
Why Small Businesses Are More Attractive to Cyber Criminals
As mentioned earlier, small businesses are often more vulnerable because owners often don’t invest in cybersecurity.
You can point to several reasons this may be the case. First, many business owners simply aren’t thinking about playing defense. They’re stressed enough as it is putting out fires in operations, finance, marketing, and other core departments. Because hackers are invisible, it can be easy to ignore the risks that they present.
Second, small business owners may believe they don’t have the money they need to implement effective cybersecurity measures. Large corporations often have entire departments dedicated to cybersecurity, and small businesses simply don’t have the resources to enact similar protocols for themselves. We’ll discuss more later on, but the good news is that you don’t need a bulky cybersecurity department to protect your business.
A third reason might be that some owners see cybersecurity as a subject akin to neuroscience: Complicated, technical, and best left to academics with years of schooling. Nevertheless, the truth is that anyone can learn basic internet safety protocols, and if you budget properly, you can hire a contractor or service to take care of the advanced parts for you.
Ways Cybercriminals Attack Small Businesses
According to the Small Business Administration (SBA), some of the most frequent methods of attack include:
- Malware, viruses, spyware, and ransomware attacks. These weapons are often unknowingly installed when you download a compromised file. Once installed, they allow the attacker to damage, control, or spy on your computer. Ransomware takes this a step further, allowing hackers to demand a ransom or face consequences.
- Phishing attacks. This occurs when hackers send a fake email, social media message, or link. Once you click on the link contained in these messages, the hacker is granted access to either your computer or your accounts (this can include bank accounts, website dashboards, and email and social media accounts).
Phishing messages are often designed to look like they’re coming from a service you already use. For example, if you’re a Bank of America customer, they may send an email from an address that looks similar to the official Bank of America domain.
How to Defend Your Business
Follow the SBA’s Best Practices
The SBA’s website features guidelines for preventing cyberattacks, and they’re a great starting point for beginners. Recommendations include:
- Train your employees to spot suspicious links and messages
- Secure your networks by encrypting information and using a firewall
- Install antivirus software and always keep your operating software up-to-date
- Enable multi-factor authentication for all accounts
- Back up sensitive information
- Monitor Cloud Service Provider (CSP) accounts
Hire A Cybersecurity Contractor or Third-Party Service
Even the SBA’s baseline recommendations can be confusing for those who aren’t tech-savvy. Unless you’ve worked at a cybersecurity company, you may not know what a CSP or firewall is.
When in doubt, hire an expert. As mentioned earlier, you don’t need an entire department of cybersecurity employees to protect your business. Many security providers offer tiered packages designed for start ups and smaller companies, with payment plans designed for smaller budgets.
Practice Common Sense Rules
Digital safety 101 includes but is not limited to:
- Never share your passwords with anyone, especially not online
- Log out of all accounts after you’re done accessing them
- Never leave your laptop or devices unattended
- Never click on suspicious links. Double check to make sure the email or private message in question is from your bank or service’s official account before clicking
- Avoid discussing how much money you make on public forums or social media sites (don’t make yourself an attractive target!)
Routinely Audit Your Security Measures
Regularly review your cybersecurity protocols, just like you would audit a restaurant sanitation or accounting process. Identify any potential cybersecurity threats where a bad actor might gain an edge.
For example, if multiple employees have access to your bank account for cash flow purposes, ask yourself if there are any vulnerabilities with how operations are currently run. Could an employee accidentally forget to log out? Do you have safeguards in place to reduce the chances of this occurring?
This exercise can help you spot cybersecurity pitfalls before they occur.
Use Third-Party Website and Payment Processing Providers
If you don’t have the resources to hire a cybersecurity expert, consider using trusted third-party providers. If you run an e-commerce store, this could be switching over an industry giant like Shopify. If you accept payments online, that might mean using a service like Stripe.
Many third-party business services take care of most of the cybersecurity protocols for you, which can make life easier. These services often have massive departments dedicated to security, and their business models rely on your ability to operate safely.
Just like the methods above, this strategy doesn’t guarantee you won’t get hacked. But it can be as reliable as hiring experts, especially if your business model is straightforward and can be run through one of these services.
Monitor Your Business Credit
This isn’t a strictly preventative measure, but also be sure to regularly check your business credit. If your financial accounts have been hacked, abnormal changes in your business credit can alert you that something is off. This can help you freeze your business credit cards and business bank accounts before things spiral out of control.
One easy way to get real-time alerts on your business credit scores is to create a free Nav account. Our platform gives you notifications on any abnormal changes. While you’re here, you can also use Nav to boost your business credit and instantly compare the best small business loans available to you now. Everything is based on your business data, so you only see the options you’re most likely to qualify for.
Internet-based Phones Under Attack
This is a scam you’ll definitely want to watch out for. Internet-based phone hacking is a new spin on an old trick, and the web makes it even easier and profitable for thieves. It’s a swindle that mainly affects small businesses, costing victims $4.73 billion globally last year.
Here’s how it works. Hackers sign up to lease premium-rate phone numbers from one of dozens of web-based services, which charge dialers over $1 a minute and give the lessee a cut. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.
Hackers then break into a business’s phone system and use it to make calls to their premium number, typically over a weekend when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes worth of phone calls every minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer.
To avoid the same fate, telecom experts recommend turning off call forwarding and setting up strong passwords for your voice mail and international call systems. Remember to always treat your phones as internet-connected machines.
This article was originally written on October 28, 2014 and updated on August 10, 2022.