Small businesses are the backbone of the U.S. economy, as the saying goes. Yet the owners of these businesses often don’t consider themselves potential targets of cybercrime.
Increasingly, however, they are.
According to Symantec, a cybersecurity software and services provider, 43 percent of the cybercrimes against companies were aimed small businesses in 2015. That’s up from 18 percent in 2011.
And the number is likely even higher.
“My concern is that people see cyberattacks as a cost of doing business, and they are not reporting these crimes,” said Michael Anaya, supervisory special agent for the FBI’s cybercrimes unit in Atlanta. “This is very troubling.”
That reluctance may be linked, in part, to fears that publicizing such reports could lead to the loss of business and litigation against the affected firms, said Mark Lupo, area director of the UGA’s Small Business Development Center.
While larger firms have resources to deal with ensuing legal challenges and to make improvements to cyber security infrastructure, small businesses may not have such resources to their disposal.
This leaves the businesses, their clients and the institutions they do businesses with vulnerable to cyberattacks.
“An attacker casts a very wide net, and it’s a question where it sticks,” said Humayun Zafar, cybersecurity expert at Kennesaw State University.
The fastest growing form of cyberattacks is via email, according to the FBI’s Crime Complaint Center. Typically, a criminal poses as an executive from a legitimate company and contacts another company that it does business with. The impostor then demands quick processing of a transaction, applying pressure on that company’s employees to act quickly, causing them to process a payment or give out more information than they should and to not verify the email.
In most of these crimes, business owners may be unaware of hackers who intrude into a company’s system and linger undetected for a number of days or weeks, monitoring modes of communications in order to mimic company communications.
Zafar said companies — whether small, medium or large — should institute two-step authentication for invoicing and work to increase employee awareness.
“It’s not just the technical solution we are looking at. We have to look at the behavioral solution to give it more of a holistic solution,” said Zafar.
Although there is no data showing the number of businesses forced to close due to the attacks, the loss of critical information can be devastating to small businesses.
While banks are able to return money to consumers whose accounts have been compromised, the process is harder for businesses, said Andrew Green, who is also cybersecurity expert at Kennesaw State University. Businesses are governed by different set of regulations, which require the organization to show that it took the proper steps to protect access to their accounts.
“Getting that money back is not necessarily a slum dunk,” said Green.
Green said small businesses must add cybersecurity infrastructure to their networks and follow best practices to protect their businesses.
“There is a cost of doing business. … If you decide that you want to engage in selling whatever you are selling, there is a hard cost of doing so,” he said.