Why the Small Business is Big Business for Hackers

It’s tough starting a small business, and even tougher to run one. When you’re caught up in the excitement of the start-up phase of a business, you’re often fuelled by hope and excitement, a kind of adrenaline that keeps you going through long days and steep climbs.

But once you’ve settled into your stride and get past the start-up phase, much of your day is spent spinning plates and fighting fires. Many of those fires are started maliciously by hackers, scammers, identity thieves and other miscreants who see small businesses as a big payday. All signs suggest that the small business is now the biggest target for cyber crooks.

Symantec’s Internet Security Threat Report found that small businesses suffered the most cyber attacks in 2012, accounting for nearly one-third of all incidents worldwide. In 2011, the Verizon data breach report found that more than 70 percent of all the data breaches it investigated happened at small businesses. As far back as 2010, a lifetime in cybercrime years, Visa said that more than 90 percent of all credit card breaches occurred at its smallest merchants.

Update 08/2015: Symantec’s 2015 Internet Security Threat Report found that 60% of all targeted attacks struck small to medium-sized organizations. So while it is a downward-sloping trend, small businesses still account for the majority of attacks.

Many entities seem to be getting the message. Security vendors have ramped up their efforts to reach and educate small businesses about the risks. Congress has called for greater protection for this engine of the economy.

On the other hand, experts have warned that though small businesses are being attacked daily, they often appear completely oblivious. Maybe that’s because they are. Small business owners still seem dangerously unaware that they are squarely in the crosshairs of cyber crooks, and that the likelihood of falling victim is very high. They do not realize that a single security breach or incident could signal the business’ end.

Death is not just speculation. In 2013, crooks managed to install a remote access Trojan on the computers of a nine-person escrow business in Southern California and stole more than $1.5 million from the company’s accounts. Because zero liability and Regulation E don’t cover small business accounts, the company felt the full effects of its losses. Unable to cover them, the company was shutdown. This is one of a growing number of real examples that illustrates the devastating impact of sophisticated malware on unprotected small businesses.

Small businesses don’t have to be the focus to become the victim. A perfect example of this is the Target data breach. What will go down as perhaps the biggest and costliest data breach in history, all started at the small HVAC business that had legitimate access to Target’s networks. Apparently, they did not have enough security savvy to use that access responsibly. Even if a business is not wiped out by malware, it can sometimes feel like it. In early February, a small law firm in North Carolina publicly admitted that it had fallen victim to the CryptoLocker malware and as a result lost all of its thousands of legal files.

The firm is likely to survive, but at what cost? And local media reports suggested that the law firm was not alone, with claims that at least 30 other local businesses also fell victim to the same malware around the same time. Not all cyber attacks on small businesses are so obvious or predictable.

A couple of years ago, I worked on a case where a small electronics business found themselves hijacked, kidnapped and cloned by cyber crooks. It appeared the crooks had thoroughly researched the company and set up a perfect clone – same business name and website, similar domain name and email addresses, and even an 800 number that answered in the company’s name paired with voicemail boxes in the names of the company’s real executives. The phony business used the victim company’s business and bank information, as well as real references, to purchases tens of thousands of dollars worth of electronics from a variety of suppliers, none of which were ever paid. Those suppliers sued the victim company, unwilling to believe that crooks could pull off such an elaborate hoax.

These and thousands of other cases remind us that we need to do more, much more, to protect small businesses from such threats. This is especially important for financial institutions that may have small business clients because financial institutions have access to a wealth of security knowledge that costs them nothing to share.

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

Neal O’Farrell is one of the leading authorities on identity theft, and has spent 30 years fighting cybercrime and identity theft around the world....
Read more about Neal O'Farrell.

Leave a Comment.