One of the biggest risks a small business owner can take is underestimating the threat of cyberattack.
I know you probably don’t believe me, because your emerging company is not really a target compared to the brands listed above, right? Wrong.
Symantec’s 2016 Internet Security Threat Report notes that in 2011, small businesses were the target of 18% of cyberattacks. In 2014, that number was 34%. In 2015, small businesses were the target of 43% of attacks.
You are not too small to be a target. In fact, you’re a target because you’re small. SMEs exist in the same threat landscape as larger companies, but with fewer resources and less expertise. Attacks on small businesses are more costly in terms of the data stolen, and more destructive in terms of damaged reputation and lost trust.
Make no mistake, cybercrime is big business and targeting small and midsize businesses makes economic sense. Cyber-criminals want the biggest bang for their buck, which often means targeting the SME segment.
Still don’t believe me? Consider the five primary reasons your business is just the right size for a cyberattack:
1Your data is valuable
What of the following information is on your computer right now – intellectual property (like new business proposals, product pipelines and strategy planning), supplier information, employee details, customer details, accounts information? And are you in contact with bigger companies, like partners or suppliers or clients?
It is a myth that you and your company holds no information worth stealing. You have valuable data in your possession, and you’re connected to other people with valuable data in theirs.
2You are low risk and high return
Your small business is a high return target because of the reasons above. You’re a low risk target because it’s unlikely that you have the software or support required to detect and counter advanced malware that may lurk in your systems for months before many security tools will flag it.
Even if you did successfully defend yourself against an attack, what then? Cyber-criminals are difficult to identify, they can operate from literally anywhere and they are seldom successfully prosecuted.
3You’re an easy target
It’s unlikely that your company employs a specialist Head of IT, let alone a Chief Information Officer or Chief Information Security Officer. These are the dedicated professionals employed by enterprises specifically to ensure the safety of company data and networks.
It is rare that an SME can afford multi-layered security like that deployed by large companies, and it is common that security policies and procedures are lacking.
Cyber-attacks follow the path of least resistance and your business is probably on that path.
4Your guard is down
Unfortunately, there is not much local research on small businesses and cybercrime in South Africa but it is quite likely that we mirror the trends identified in international research. As I indicated earlier, the threat to small businesses is increasing but concern is not.
Owners of emerging businesses are falsely confident that cybercrime is not something they need to worry about. Consider some results of this survey conducted by KPMG in December 2015 – only 23% of small businesses surveyed in the UK cited cyber security as a top concern.
Half of the small businesses surveyed thought it was ‘unlikely or very unlikely’ that they’d be a target for an attack. Ironically, 60% of those small businesses had experienced a breach.
5Your (free) tools won’t save you
Free antivirus software and basic password controls are better than no security at all but today, commercial-grade software, a secured network and firewalls are minimum requirements.
This is not licence to scrap security measures – if you’re not scrimping on security and properly educating your staff, then you are likely defended against most known attacks.
Consider security measures like secure business email with content filtering, antivirus software that includes social media scanners and anti-phishing, and digital certificates to protect customer login and credit card details.
The reality is that the best defences deployed by most SMEs will not withstand a targeted, dynamic cyberattack. Assume your company is a target – because it really is – and get assistance to identify your most valuable data and how it could be vulnerable. Those are the first steps of defence against well-funded, highly mobilised cyber-criminals.