Cybercrime is growing as use of the internet and business networks expand. Today, more than ever, businesses of all sizes rely on their networks, data and internet connectivity to conduct business. According to a McKinsey Global Institute report the internet’s economic impact has been greatest among “individual consumers and small, upstart entrepreneurs”. The internet allows even the smallest firms to have a global impact. What began as an obscure network for researchers and scientist a few decades ago has grown into an $8 trillion a year e-commerce enterprise connecting over two billion people.
As the use of internet and networked computers grows, and new technologies such as cloud computing enable even greater technological advances, the occurrence of cybercrime is expected to grow as cybercriminals seek to exploit online and networked vulnerabilities in business networks. Cybercrime costs the global economy about $445 billion every year, with the damage to business from theft of intellectual property exceeding the $160 billion loss to individuals.
Cybercrime is becoming a growing and significant concern for small business. In its 2014 Year-End Economic Report, the National Small Business Association also known as NSBA found that “half of all small businesses report they have been the victim of a cyber attack – up from 44 percent just two years ago. Among those who were targeted, 68 percent reported being a cybervictim more than just once.
Despite the rise in cybercrime among small businesses, many small business remain susceptible to cyber attacks due to lack of resources and surprisingly, a lack of knowledge of the threat. The NSBA found that despite the increasing threats posed by cyberattacks, an astounding one in four small business owners have little to no understanding of the issue whatsoever. Dr. Jane LeClair, the Chief Operating Officer of the National Cybersecurity Institute noted in testimony to the House Committee on Small Business that “Small to medium-sized businesses, also known as SMBs are challenged both by the ability and the desire to secure themselves against cyberthreats which makes them uniquely vulnerable to cyber attacks. Fifty percent of SMBs have been the victims of cyber attack and over 60 percent of those attacked go out of business. Often SMB’s do not even know they have been attacked until it is too late.”
More than ever, sensitive data, intellectual property and personal information of small and medium sized firms are targeted by an ever increasing and sophisticated community of cybercriminals. Symantec found that in the last five years, a steady increase in cyber attacks targeting businesses with less than 250 employees had been observed, with 43 percent of all attacks targeted at small businesses in 2015, proving that companies of all sizes are at risk.
Small business is an increasingly attractive target for cybercrime. By themselves, individual small businesses may not appear to present an overly attractive target. However, collectively small businesses are a very lucrative target set due to the collective economic impact of small business. According to the Small Business Administration (SBA), small businesses make up 99.7 percent of U.S. employer firms; 63 percent of net new private-sector jobs; 48.5 percent of private-sector employment; 42 percent of private-sector payroll; and 46 percent of private-sector output.
In addition, small business attacks are increasing because they present cybercriminals with an easy way to gain access to customer credit card records and bank accounts, supplier networks and employee financial and personal data. Smaller companies tend to have weaker online security. They’re also doing more business than ever online via cloud services that perhaps don’t use strong encryption technology. SMB’s have resource constraints and often ignore cybersecurity in favor of day-to-day operations or other financial needs. Yet SMB’s remain a gateway to gain access to clients, business partners, donors, and contractors working with the SMB . . . a backdoor into many large organizations. To a hacker, that translates into reams of sensitive data behind a door with an easy lock to pick. If a small business has any Fortune 500 companies as customers, they are an even more enticing target—they are an entry point. This is an increasingly common type a cyberattack knows as a secondary attack.
Small businesses are particularly vulnerable to email attacks closely mimicking those of banks or other trusted institutions and citing an urgent need to login to an account or provide some other vital information, since multiple employees could have access to vital information. Further, business accounts do not enjoy the same level of protections and guarantees against loss and theft as those provided to consumers—a reality that many small-business owners do not discover until it’s too late. Consumers are protected by Regulation E, which dramatically limits their liability in a cyber-heist. Commercial accounts, however, are covered by the Uniform Commercial Code (UCC). The UCC does not hold banks liable for unauthorized payments so long as “the security procedure is a commercially reasonable method of providing security . . .” Few small businesses that are the victims of theft from their bank accounts ever recover those funds.
The cost of cybercrime to a small business can be devastating. In 2013, cyberattacks cost small businesses on average, $8,699 per attack. Today, that number has skyrocketed to $20,752 per attack. For those firms whose business banking accounts were hacked, the average losses were $19,948 today – up significantly from $6,927 in 2013. This huge jump in cost is likely due to the increased sophistication in phishing and hacking schemes as well as an improved economy that finds greater funds available in many small firms’ bank accounts than was there just two years ago.”
It is clear that small businesses need to be better informed on the impact cyberattacks can have on their businesses and be better prepared to meet the increasing cyberthreat.