Cybersecurity Fact Sheet: Why Small Business Isn’t Immune

This blog is part of the Board Oversight Series, an interactive collection of resources on Cyber Risk. 

Small and medium-sized companies often gloss over the topic of cybersecurity for a variety of reasons. Many companies don’t believe they have the budget to address cybersecurity. Others don’t believe they have anything worth taking. Still, others just don’t think it could happen to them.

In fact, over half of all cyberattacks are committed against small businesses, and that percentage is expected to rise in the years ahead. A few other figures:

  • 61% of cyber breaches are targeting small businesses, up from 53% the year before (Verizon).
  • Cyber breaches typically cost small businesses between $84,000 and $148,000 (UPS Capital).
  • 60% of small companies go out of business within six months of an attack (UPS Capital).
  • 90% of small- and medium-size companies in the U.S. don’t use any data protection at all for company and customer information (McAfee).

Most Cyberattacks Are Economically Motivated.

It’s important to remember that money is what motivates the majority of cybercrimes—and to a cybercriminal, small businesses represent low-hanging fruit.

Small businesses usually have lesser cyber defenses for hackers to penetrate. Also, any cyber defenses that are present are typically less-advanced, which means longer dwell times (i.e., the length of time a hacker is active inside the network before being detected). For these reasons, small businesses often symbolize “quick wins” and “easy money” to cybercriminals.

Most Common Attacks Against Small Businesses

The first step towards cyber preparedness is understanding the most common types of cyber threats used against small businesses.

Ransomware-Cybercriminals infect company software with malicious software that encrypts all the data within the company’s network. The transgressors then request a ransom in a large sum of money in exchange for the decryption key. This type of attack usually starts with a phishing email.

Hack Attack-Hackers locate a vulnerable entrance to a company’s network that contains personally identifiable information. This is how hackers are able to obtain consumer’s credit card information.

Denial of Service-Cybercriminals flood a company’s servers with volumes of data, overloading it so that it fails to work and renders the company website useless. It sometimes helps to reboot the system, but flooding attacks aren’t as easy to recover from.

Human Error-Employees are usually the weakest link in any cybersecurity program. An overwhelming percentage of data breaches began with an attack on an unsuspecting employee.

CEO fraud-Criminals hack the email account of a CEO or other senior manager and send an email to one or more people with financial authority to make a payment or share sensitive information.

What Small Businesses Can Do to Protect Against Cyberattacks

Even though smaller companies generally lack the budgets to confront cyber threats on a large scale, there are various things they can do to mitigate their risk of a cyberattack.

  • Companies of all sizes generally use antivirus and malware protection on their main systems. It’s important for small companies to install antivirus and malware programs on all company devices, especially mobile devices. Board members and business owners should be sure that the company regularly performs software updates, as they often contain vital security upgrades.
  • As a matter of cybersecurity awareness training, all employees should be trained to spot and report phishing emails. They should also be made aware of the dangers of sharing sensitive board or company information via email. More on Cyber Awareness Training Programs this post.
  • Another basic cyber security measure that small businesses can take is implementing “password best practices. According to Stan Kuciej, Director of Diligent’s Security Operations: “Change default passwords immediately. Make a password into a passphrase. Include numbers, upper and lower case letters, and special characters—all of these will make it harder to guess.”
  • Small companies will find lots of helpful tips on how to boost cybersecurity measures from dedicated knowledge organizations like the National Cyber Security Alliance, which is a public-private partnership for advancing cybersecurity education.
  • Even at small companies, board members and business owners must examine their own communication practices to see where they might be putting the company at risk. As the people most likely to be in possession of sensitive company data, board members and company leaders are among the “highest-value targets” for hackers. Diligent Messenger is one feature within Diligent’s Governance Cloud offering that allows for truly secure messaging between management team and board of directors.

Not only are small businesses not immune to cybersecurity threats, they’re becoming the main targets. The recently passed General Data Protection Regulation (GDPR) law in the European Union means that companies of all sizes could be fined up to €20 million or 4% of their annual turnover, whichever is greater, if cybercriminal compromise personally identifiable information. This is the first major piece of legislation aimed at data privacy. Small companies should be aware that other countries may take similar action in the near future. Small steps in cyber protection now are big steps in cybersecurity prevention later on.


Download Report: The Communication Practices of Today’s Corporate Boards

In this joint research project, the New York Stock Exchange and Diligent surveyed nearly 400 directors to understand how they communicate with other members of the board. Which practices are the most common? Which ones pose the greatest risk?

Featured Blog