Debunking Cybersecurity Myths: Part IV—No Target Too Small
Previously on Cybersecurity Mythbusters, we debunked the myth that a 9-to-5 company can get away with 9-to-5 security.
In this episode, we’re moving from time to scale to tackle the myth that small businesses have nothing to fear, it’s only large enterprises get hit with data breaches.
Myth #4—Cyber Risk Is a “Big Business” Problem
It’s easy to see how this myth developed. After all, when a data breach makes the news it’s because it’s victimized a large organization like Target or Equifax or Yahoo. You’ll never wake up to a news alert on your phone that reads BREAKING NEWS: CORNER DELI HIT WITH RANSOMWARE!
Of course, that’s merely the result of selection bias. You hear a lot about the biggest attacks because they make the biggest splash. But in reality, businesses of all sizes are constantly threatened and, yes, breached. There’s no inherent safety in smallness.
In fact, the Ponemon Institute reports that 61% of small businesses experienced a cyberattack last year—and that number is growing.
How Small is Small, Anyway?
First off, it’s important to remember that what we call a “small” business can have significant value to an attacker. Crooks rob banks, but they rob convenience stores as well. A full cash register isn’t a safety deposit vault, but it’s plenty full of loot.
So, how valuable is your business to a cybercriminal? Well, it depends. And the value of different sorts of data can fluctuate rapidly. But an easy rule of thumb is this: credit card data goes for tens of dollars; health data for hundreds; bank accounts for thousands. That makes an organization with a few hundred customers a lucrative target.
Given these valuable targets, it’s no surprise that attackers target small businesses, especially when you consider . . .
The Incredible Cheapness of Hacking
Hacking is cheap, and modern hacking typically scales. There may be some fixed costs to setting up a phishing campaign, or a ransomware attack, or what have you. But the marginal cost of adding a new business approaches zero—just send to a larger email directory. And those additional businesses—maybe including your business—are potentially vulnerable. That’s because . . .
The Digital Revolution Is a Two-Edged Sword
All businesses are increasingly exposed to cyberthreats. Small businesses have now digitized key functions, following the path of their larger brethren. With the growth of SaaS and the ongoing consolidation of enterprise software industries, there’s little difference between the digital footprint of large businesses and small ones. A hacker targeting a large enterprise might develop an exploit that hits a Salesforce instance, or a phishing page that works on Office 365, or maybe malware that attacks Slack instances. If they use these applications or platforms, there’s no get-out-of-breach free card available to let small businesses off the hook.
So, between the escalating value of data and abundance of cyber resources, the increasing use of automated attacks, and the growing vulnerability of all businesses to the same types of attacks, small businesses are no safer than large ones. But there is one key difference between cybersecurity at the largest organizations and smaller ones and, unfortunately, it’s in all in big business’s favor.
Too Big to Fail Versus . . . Not
Big breaches do big damage to big businesses, but at the end of the day those businesses survive. Sure, Target’s market share suffered and Equifax’s stock price fell, but the businesses didn’t go away. Large enterprises like these have the financial resources to weather a serious attack.
Not so for small businesses. 60% of small businesses go out of business within six months of a cyberattack. They don’t have the deep pockets to ride out the bad news and a few bad quarters and pay the expenses associated with a breach; they face hungry, similarly-positioned competitors.
How Can Small Businesses Defend Themselves?
Small businesses are at a disadvantage when it comes to cyber protection. They don’t have the resources to field large teams of security experts for defense. However, that doesn’t leave small businesses without hope.
A growing number of small businesses are turning to solutions like a security operations center (SOC)-as-a-service, which provides the people, process, and technologies that large enterprises employ to keep themselves safe, delivered at scale to small-business clients. If you’d like to learn more about this security solution, read the Definitive Guide to SOC-as-a-Service!
 Ponemon, 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB)