Why would a sophisticated cyberattacker want to target a small business like mine?
It’s one of the most frequent questions I hear in conversations with clients and one that is full of misunderstandings.
There is often a state of hyper-alertness following high-profile data breaches on big organisations that have exposed the information of millions of people.
The cost of each cyberattack and data breach averaged around $3.35 million in Australia in 2020, and they have a long tail, with estimates that in some cases almost half of the costs are incurred 12 months after the attack.
But at the same time, high profile attacks draw a feeling of relief within small and medium-sized business, who are grateful that they don’t have the volumes of personal information and cash of big firms, so they believe they will never be hit.
The problem with the opening question is three assumptions behind it – that attackers can’t be bothered with small outfits, the notion of sophistication, and an unawareness of the value held by small and medium businesses.
Myth 1: SMBs are not cyber targets
Information gathered by the Office of Australian Information Commissioner shows that, in the six months to December 2021, 96% of data breaches affected 5000 individuals or fewer, and 71% affected 100 people or fewer.
That’s right in the small business ballpark.
Pitcher Partners’ recent Business Radar 2022 report revealed that a quarter of mid-market businesses have experienced a cyberattack of some kind, everything from text message phishing to ransomware attacks.
However, the real number may be even higher and many mid-market businesses may be reluctant to speak up through fear or embarrassment.
Others may have been compromised and just don’t know yet. I’m aware of one company which had no reason to suspect a data breach until the police showed up on their doorstep. Criminals had been lurking in their networks for 12 months and data linked to the company had been found.
Cyberattacks and data breaches hit small and medium businesses more often than big businesses simply because they are more vulnerable.
Myth 2: ‘Sophisticated’ cybercriminals
Small businesses don’t necessarily have millions of dollars in the bank, but they still have two things that attackers want – data and connections.
In the mind of the community, cyberattacks conjure pictures of teams of tech-savvy crooks writing code in a basement to crack open banks and cash-rich businesses.
For sure, there are instances where cyber criminals are sophisticated outfits. But they are far more likely to share a trait with every other common crook – they are opportunists.
The reality is they simply take advantage of a security gap or exploit a known vulnerability from running old, unpatched software.
Very little in cyberspace is sophisticated – often, breaches start with people disclosing passwords.
Myth 3: My company isn’t valuable enough
A cash ransom is not always the end game. Reconnaissance is equally important.
Information gained from smaller, more easily accessible organisations about systems and networks is preparation for more lucrative operations.
If your small operation supplies a big mining company or major manufacturer, who does it make more sense to target in the first instance?
Attackers gather details about systems, expose client relationships and can gather confidential information about directors, partners and other stakeholders.
There is also vital data concerning customers and suppliers such as identification, as we have seen in recent breaches of high-profile companies.
If you are the weak link that allowed an attacker to break in, will businesses and customers still want to keep working with your business?
Simple steps to prepare, defend and act
Most attacks are preventable and business leaders need to focus on what they can control.
Identify the most critical data assets and take every reasonable measure to ensure they are protected, rather than be overwhelmed by trying to cover all bases to the same depth.
Ensure that the business will actually know when a breach has occurred. Without this element, it may be months before an organisation is even aware of an attack, let alone how much it has been compromised.
Finally, have an action plan prepared if a breach does occur.
The plan needs to be detailed because the response to different attacks will vary, and business leaders need to know their regulatory obligations and notification requirements.
Data breach threats have been around for quite some time, yet myths persist that serve to excuse business leaders from preparing.
Cyberattacks are not about necessarily exploiting the wealthiest, but the businesses more likely to underspend in their digital protection.