If I had a dollar for every time a small business concluded that cyber attacks wouldn't target them, I'd be a rich man! Even now in 2019, there is a strong headwind of thought that small businesses aren't targeted by cyber attackers because they aren't a 'juicy enough' target.
This is simply false.
Every year, telecommunications giant Verizon releases the Data Breach Investigations Report (DBIR). This report consolidates data from security incidents across multiple sectors and provides one of the best views of attacks we have.
In the 2019 DBIR, 43% of breaches involved small business victims. Let that sink in. Almost half of cyber attacks are against small businesses. That strongly supports what I see through my business: small businesses are getting hit by the same kinds of threats as larger organizations. We've even seen advanced 'nation state sponsored' attackers targeting small businesses. Why is this?
In a phrase: supply chain. Small businesses feed bigger businesses. Small businesses may not be the target, they may be a means to get to the target. I use the word 'target' here on purpose. Target (the US retailer) had a significant breach back in 2013, with some figures placing the cost at over USD 300m. Attackers breached Target indirectly, by compromising one of the small business suppliers to the retailer.
Small businesses are often easier to breach than larger organizations, for several reasons. As mentioned, there is an attitude that “I'm too small to attack” which informs investment decisions in IT – typically the lack of security measures beyond the most basic. Contrary to popular belief, good security doesn't necessarily need to cost a lot. There are very capable solutions that can be employed to help. For example, my organization uses an email filtering service that is paid for by including a small acknowledgement on my company web site. It not only keeps spam levels down, but also filters out a good number of malicious emails.
When things go awry, it's often a challenge in small business environments to rapidly collect the information needed to determine what's happened. When there is an incident, days worth of effort is often spent putting capabilities into place simply to collect the data that's needed to understand the incident. My company has a capability in place to collect forensic data from computers should it be needed—again the technical solution is free, requiring only a minimal service model to support it in the field.
If you're relying only on Anti-Virus and a Firewall as your security model, it's time to rethink. You're not being targeted by kids who learned to hack on YouTube 15 minutes ago. You now have to defend against professional hackers who have endlessly more resources that you do, and who do this all day every day. It needn't be daunting, the basics of cyber securtiy hygiene can get you a long way.
There's a lot to consider in planning your cyber defenses, but we can take some comfort in knowing that many of these challenges already have solutions. Speak to your IT or cyber security partners to find out what they can suggest.