3 Reasons Why Hackers Target Small Businesses

We hear about cyber attacks on large enterprises almost every day.

This year alone, Facebook, LinkedIn, T-Mobile, Kroger, and Volkswagen have all experienced major data breaches that are still sending ripples down the supply chain to this day. But these and other large-scale cybersecurity incidents can cloud our perception of reality by dominating the headlines and our attention spans.

Even though it may seem that large enterprises are on the receiving end of the vast majority of cyber attacks, cybercrime statistics tell a different story. According to Verizon’s 2020 Data Breach Investigations Report;

43 percent of cyber attacks target small businesses, especially those in the legal, insurance, retail, financial, and healthcare sectors.

This sobering statistic is only confirmed by the findings of a recent IBM Security study, which show that 40 percent of small business owners have been targeted by cybercriminals since the outbreak of the pandemic. But why? Are there any specific reasons that make small and medium-sized businesses (SMBs) attractive targets? Yes, there are.

3 Reasons Why Small Businesses Are Targets for Hackers

1. Small Businesses Don’t Take Cybersecurity Seriously

Small business owners often don’t understand the true nature and scale of cybercrime. They see cybercriminals as lone wolves that pick and choose their targets to score the biggest hit and earn the most reputation among their peers. While such cybercriminals still do exist, they don’t have much more in common with the average phisher or ransomware sender than white-collar insurance criminals have with petty street thieves.

Most cybercriminals these days don’t have advanced hacking skills or the ability to write exploits for newly discovered vulnerabilities. Instead, they rely on readily available hacking tools that are sold on the dark web just like regular software is sold on the internet. They then use these tools to go after soft targets because enterprises with hardened defenses can’t typically be compromised by them.

It’s not that SMBs couldn’t harden their defenses as well, but most don’t see the need. Keeper Security’s 2019 SMB Cyberthreat Study found that 66 percent of decision-makers did not think their organizations were at risk of being targeted by cybercriminals. More recently, the CNBC | Momentive Q3 Small Business Survey revealed that 56 percent of small business owners were not concerned about becoming the victim of a hack in the following 12 months.

When there’s no concern, there’s no incentive to invest time and financial resources, both of which are in short supply for SMBs, to improve cybersecurity. Unfortunately, many small business owners realize that they’re operating under false assumptions only when it’s already too late to do anything about it.

2. Small Businesses Serve as Tunnels to Larger Targets

Here’s a movie scene everyone has seen before: bank robbers steal the keys to a small store near a bank, and they visit it every night to dig a tunnel that lets them enter the bank’s vault undetected and leave with a huge pile of cash. Something similar is happening every day in the digital world, with cybercriminals infiltrating small businesses and using them as gateways to larger organizations.

One of the best-known examples of this practice is the 2013 Target data breach, which exposed 40 million customer debit and credit card accounts of shoppers who had visited its stores during the 2013 holiday season. The breach happened because cybercriminals managed to steal credentials from Fazio Mechanical Services, a Sharpsburg, Penn.-based provider of HVAC services. The credentials allowed the attackers to push their malware to Target’s point-of-sale devices without being detected, and the rest is history.

Of course, Target is as much to blame here for allowing a third-party to have so much access to its infrastructure as Fazio Mechanical Services is for not protecting the credentials better, but that doesn’t change anything about the fact that small businesses are often targeted because cybercriminals want to dig tunnels through them to reach their true targets.

3. Small Businesses Can Be Easily Manipulated and Coerced

When an enterprise becomes infected with ransomware and hit with a ransom note demanding a large sum of money to recover encrypted files, the situation can go one of two ways: the enterprise pays the ransom, hoping to recover from the attack as quickly as possible, or the enterprise decides to decline payment and bet on its ability to recover from backups.

Small businesses frequently don’t have the same choice. To start with, they don’t always back up all important data and practice its recovery in events like this. As a result, they can’t really say no to attackers because the cost of data loss would be greater than the ransom payment. However, paying the ransom can be a challenge as well because small businesses don’t sit on piles of money, with lines of creditors happy to lend them more.

In addition to being easily coerced into paying a ransom, small businesses are also easy to trick into disclosing sensitive information that can make ransomware and other attacks possible because they don’t focus enough on cybersecurity awareness training, which directly addresses the leading cause of data breaches, human error.

What Can Small Businesses Do to Protect Themselves?

Small businesses can do a lot to protect themselves better, and they don’t even have to give up sizeable chunks of their budgets just to improve their ability to keep cyber attacks in check. Following cybersecurity best practices is often all it takes to mitigate risk:

• Enable multi-factor authentication: Requiring all users to provide two or more verification factors during login attempts is one of the most effective ways how to prevent attackers from gaining access to protected resources.
• Conduct cybersecurity awareness training: When trained to recognize and defend themselves against common cybersecurity threats, employees can act as the first line of defense against imminent cyber threats.
• Back up files to multiple locations on a regular basis: Even a relatively small instance of data loss can cause an organization a lot of money, so having in place an effective data backup and recovery system is essential.
• Keep all software updated: Unpatched software (or the easily exploitable vulnerabilities it contains, to be more precise) is responsible for many data breaches. Despite often being time-consuming, patching is one of the most rewarding activities, and its positive impact on cybersecurity is significant.
• Use modern endpoint protection: These days, employees tend to work from different locations, and traditional perimeter defenses, such as firewalls, don’t cut it anymore. Fortunately, there is no shortage of modern endpoint protection solutions to choose from and implement.  
• Implement email protection: Phishers love email because it allows them to target a large number of potential victims without much effort. Various email protection solutions can help stop phishing emails before they reach employees’ inboxes.
• Encrypt data at rest and in transit: Wi-Fi snooping and physical device theft are just two reasons why it’s paramount to encrypt data both at rest (using encryption features like BitLocker) and in transit (by taking advantage of technologies like SSL).  
• Get a cybersecurity insurance policy: There’s no substitute for strong cybersecurity, but buying a cybersecurity insurance policy can provide the peace of mind that comes with knowing that a cybersecurity incident won’t lead to the organization’s end.
• Increase security around remote working: The emerging hybrid work model comes with its own set of cybersecurity challenges, such as employees using their personal devices for work and connecting to corporate networks from public locations, and addressing these challenges in a timely manner can be the difference between a data breach and business as usual.
• Conduct vulnerability tests: The purpose of a vulnerability test is to reveal and classify security vulnerabilities so they can be addressed in the optimal manner, starting with the most severe ones and continuing with those that are less likely to lead to a breach.
• Work with a cybersecurity company: Small businesses understandably lack the experience and skills that would allow them to take advantage of the latest cybersecurity solutions. By partnering with a reputable cybersecurity company, such as us at OSIbeyond, any SMB implement the above-described best practices without losing focus on its mission.

As long as they’re implemented correctly and constantly updated to reflect the evolving cybersecurity landscape, these and other best practices can greatly reduce the risk of a hacking attempt and cyber attacks on a small business resulting in an infection or data breach.

Summary – Small Business Protection Against Hackers

Contrary to what many decision-makers still believe, cybercriminals don’t overlook small and medium-sized organizations when picking the next target. In fact, they see SMBs as low-hanging fruit that’s ripe for the picking and don’t waste any opportunity to grab it—even if only as part of a larger attack on a major enterprise.

To protect themselves, SMBs must follow cybersecurity best practices, which are constantly evolving, reflecting the threats organizations face. Let’s schedule a call to discuss your plans!