Cybersecurity and Small Businesses

A day in the life of a cybersecurity professional…

We were a bit surprised recently when someone asked why small businesses need to care about cybersecurity.  Our answer:

Because the cost of a breach will cripple a company  – There was a recent study that showed that 60% of small to mid-size companies are out of business within six months of a cybersecurity incident or data breach.  This is due, in part, to lost revenue, reduced brand value, and the cost of notifications and remediation efforts.  If the companies aren’t paying proper attention to cybersecurity, their insurance coverage won’t help them, either.

Both data privacy and cybersecurity are bet-the-company issues.  If you aren’t familiar with the differences between data privacy and cybersecurity, we previously posted a short discussion of the differences between cybersecurity and data privacy.  Although we think it is important to raise awareness about both topics, this particular post will focus on cybersecurity.

Why should a Small Business Care?

As we are out speaking at different sessions, we often hear companies say “we aren’t a target because…” and the next phrase is almost always either “we have nothing of value”, or “we’re too small”.   But that isn’t true.  Criminal hackers target small businesses for several reasons, including:

  • They are easy targets – Most small businesses simply aren’t devoting appropriate resources to even basic cyber hygiene (e.g., ensuring they are meeting even the first five of the CIS Critical Security Controls).  This means that most small businesses are doing the equivalent of leaving a big pile of freshly-delivered Amazon boxes sitting outside their door on a Friday night with the building’s lights off.  By following a few basic steps (the equivalent of not having packages delivered after hours, leaving lights on, and putting up cameras), companies can significantly cut their risk.  Failure to do so leaves them as easy targets.
  • They aren’t the ultimate prize – Of course, the fact that they are easy targets doesn’t address the “we have nothing of value” issue.  For example, a small business-to-business company probably doesn’t have a lot of credit card, bank account, or personal information about its customers.  So these companies assume they don’t have to worry about cybersecurity as much as the bigger companies.  However, cyber criminals are targeting companies not only for what they can steal from the company, but also because of the relationships that company has with others.  For example, the Target breach from 2014 occurred through an HVAC vendor.  The criminals were able to use information gained from the HVAC vendor’s network to ultimately gain access to the Target network.  Thus, although the small business may not have a lot of inherently “valuable” information on its own, it can lead to much more valuable prizes for the criminals.
  • Their insurance company cares – Insurance companies are becoming more adept at asking cybersecurity-related questions, and finding ways to avoid paying claims.  This means that companies that aren’t paying attention to cybersecurity are less likely to get insurance, that those who get insurance are more likely to pay higher rates and are not likely to have the right coverage when a breach occurs.
  • Their customers care – If the small company is a business-to-business company, its smaller customers may not yet be asking about cybersecurity, but bigger companies are asking increasingly sophisticated cybersecurity questions.  They understand that their vendors are often the weak link in their security, and vendor risk management is a hot-button issue.  If a small company wants to start doing business with big companies, or to continue to do business with big companies, it will need to start paying more attention to cybersecurity.  Its competitors will. And on the business-to-consumer side, consumers quickly abandon smaller companies that have data breaches.
  • Criminals need resources – Although many criminals are searching for valuable data such as credit card information, others are looking for resources.  For example, a growing trend is for crypto mining malware to be installed on hacked computers.  Crypto mining forms a core to blockchain-based tools like Bitcoin and Etherium.  Crypto “miners” perform work for the blockchain tool, and in exchange they are paid a fee when certain conditions are met.  Crypto mining is a big business, generating millions of dollars in revenue each year.  But crypto mining needs computers to work, and running and maintaining those computers can be expensive.  So innovative criminals have taken to hacking into systems and installing mining software without the company’s consent, or even their knowledge.  The company will pay the increased electricity, Internet service, cooling, and other costs, and the criminal keeps all the money.  Krebs on Security has a somewhat older, but still valid, article about other ways criminals use hacked PC’s, including use as a server for command and control of malware and distributing child pornography.  Why would a small business want to make it easy for criminals to set up shop in their company’s office?

As you can see, small businesses must care about cybersecurity if they are to survive.  There is never a better time to start than now.